On 2015-10-05 17:03, Lukas Tribus wrote:
I would argue that HAProxy is doing the wrong thing here: the
req_ssl_ver variable
should return the handshake version, not the record layer version.
Agreed.
We really should ignore the record layer and use the client hello
version instead (smp_fetch_ssl_hello_sni() has code checking for both
if anyone has time to come up with a patch for req_ssl_ver).
Attached is a patch that should work but doesn't. (bare with me, I'm in
unknown codebase territory here).
I also tried to match directly using req.payload, and I can't get the
ACL to match:
acl tls12 req.payload(9,2) -m bin 0303
acl tls12 req.payload(10,2) -m bin 0303
acl tls12 req.payload(11,1) -m bin 03
None of the above work. Any thoughts?
- JulienFrom a92b78ebc52b855284c177f67c081508c843f1fb Mon Sep 17 00:00:00 2001
From: Julien Vehent <[email protected]>
Date: Thu, 8 Oct 2015 09:53:12 -0400
Subject: [PATCH] BUG/MINOR: use SSL handshake instead of record layer when
checking version
---
src/payload.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/payload.c b/src/payload.c
index f62163c..4700f3c 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -148,10 +148,10 @@ smp_fetch_req_ssl_ver(struct proxy *px, struct session *s, void *l7, unsigned in
data = (const unsigned char *)s->req->buf->p;
if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
/* SSLv3 header format */
- if (bleft < 5)
+ if (bleft < 11)
goto too_short;
- version = (data[1] << 16) + data[2]; /* version: major, minor */
+ version = (data[9] << 16) + data[10]; /* version: major, minor */
msg_len = (data[3] << 8) + data[4]; /* record length */
/* format introduced with SSLv3 */
@@ -162,7 +162,7 @@ smp_fetch_req_ssl_ver(struct proxy *px, struct session *s, void *l7, unsigned in
if (msg_len < 1 || msg_len > ((1<<14) + 2048))
goto not_ssl;
- bleft -= 5; data += 5;
+ bleft -= 11; data += 11;
} else {
/* SSLv2 header format, only supported for hello (msg type 1) */
int rlen, plen, cilen, silen, chlen;
--
2.5.3
