Failed to persist on SSL session ID

Godbach Fri, 18 Jan 2013 09:47:30 -0800

Hi, all
I have tested persistence on SSL session ID of haproxy-1.5-dev16.  The
main configuration of frontend and backend as below:
    frontend fe
        bind 172.22.16.112:443 ssl crt /home/fortiadc/ca-user-key.pem
ca-file /home/fortiadc/ca-root.cer #verify required crl-file
/home/fortiadc/ca-root-crl.cer
        maxconn 1048576
        use_backend be unless


    backend be
        balance roundrobin

        # maximum SSL session ID length is 32 bytes.
        stick-table type binary len 32 size 30k expire 30m

        acl clienthello req_ssl_hello_type 1
        acl serverhello rep_ssl_hello_type 2
        # use tcp content accepts to detects ssl client and server hello.
        tcp-request inspect-delay 5s
        tcp-request content accept if clienthello

        # no timeout on response inspect delay by default.
        tcp-response content accept if serverhello
        # SSL session ID (SSLID) may be present on a client or server hello.
        # Its length is coded on 1 byte at offset 43 and its value starts
        # at offset 44.

        # Match and learn on request if client hello.
        # should be (44, 32) if sticking to SSL session ID ?
        stick on payload_lv(43,1) if clienthello

        # Learn on response if server hello.
        # should be (44, 32) if storing SSL session ID ?
        stick store-response payload_lv(43,1) if serverhello

        server 1 10.128.7.1:80 cookie cookie weight 1 maxconn 0 slowstart 0s
        server 2 127.0.0.1:80 cookie cookie weight 1 maxconn 0 slowstart 0s

Both the acl and stick configurations are copied from introduction of
'stick store-response' in manual.

After testing, I found that haproxy has not stored SSL session ID
becaused of the acl 'clienthello'
has not matched.

>From the codes of SSL supporting, SSL_do_handshake() supplied by
OpenSSL library was called to do whole SSL handshake.
It means that haproxy doesn't have the chance to copy TCP payload
during SSL handshake to session buffer. As a result,
haproxy cannot check the data of handshake.  Maybe we just check SSL
hello type in SSL record data.

In addition, I want to know that the main configuration should be like
this if I want to stick on SSL session ID:

        stick on payload_lv(44,32) if clienthello
        stick store-response payload_lv(44,32) if serverhello

I am also wondering that whether I used incorrect configuration to
lead the failure or it is a bug indeed.

Best Regards,
Godbach

Failed to persist on SSL session ID

Reply via email to