Hi Georges-Etienne, On Tue, Feb 03, 2015 at 08:09:15AM -0500, Georges-Etienne Legendre wrote: > Hi Willy, > > Thanks a lot for this investigation, it was really helpful. > > My OpenSSL is up-to-date on this server. I first tried to remove the chroot > statement. I'm pretty sure this in itself solved the leak, but I no longer > have the traces and couple of hours after, our Ops changed the SSL check to > a simple TCP check on port 443. So, I cannot confirm 100%. > > I can however confirm that I no longer experience the leak. I put back the > chroot command to be safer.
OK that's great. > This also prompted me to tweak the SSL ciphers. I now use a more thoughtful > list of ciphers ( > https://mozilla.github.io/server-side-tls/ssl-config-generator/) and > disabled SSLv3. This indeed disables KRB5. > > ssl-default-bind-ciphers > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > ssl-default-bind-options no-sslv3 Wow! When we introduced SSL, I expected that a lot of difficulties would come from it, but not that the ugliest config statements would come with it as well :-) > I will keep a close eye on the memory usage... HAproxy has been running for > about 16 hours now, and here is the ps output: > # ps -u nobody u > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > nobody 63985 0.5 0.0 53868 10960 ? Ss Feb02 5:19 > /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid > > Looks good :-) Yes indeed. Now I think it will really be important to report this leak to whomever it concerns (probably the distro vendor so that they decide whether it's in their own patches or in openssl upstream). My openssl version doesn't have krb5 and I have never understood what is needed to enable it nor what it provides. Crypto libs tend to be cryptic ... Willy
