Hey Bryan, Are these test certificates? If so could you send them to me so that I can test them on my side?
Thanks! -Dave From: Bryan Talbot <bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> Date: Saturday, December 5, 2015 at 7:16 PM To: Bryan Talbot <bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> Cc: Yanbo Zhu <yanb...@cisco.com<mailto:yanb...@cisco.com>>, "haproxy@formilux.org<mailto:haproxy@formilux.org>" <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot <bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> wrote: On Fri, Dec 4, 2015 at 6:15 AM, Dave Zhu (yanbzhu) <yanb...@cisco.com<mailto:yanb...@cisco.com>> wrote: Hey Bryan, it’s strange that it’s always loading the ECC cert. I just tested the code on my end and I’m not seeing this behavior. I see it on OSX, I'll test on Linux today. On Ubuntu VERSION="14.04.3 LTS, Trusty Tahr" with OpenSSL 1.0.2e compiled from source, haproxy is crashing with your patches and a bind line of bind :8443 ssl crt ./var/tls/localhost.pem If I change the bind to be bind :8443 ssl crt ./var/tls/ it doesn't crash. OpenSSL 1.0.2e was built and installed to /usr/local/ssl/ with "./config && make && make test && sudo make install" haproxy 1.6.2 was built from source make -j 4 TARGET=linux2628 USE_OPENSSL=1 SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib USE_ZLIB=1 ADDLIB=-ldl all $> ./haproxy -vv HA-Proxy version 1.6.2 2015/11/03 Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org<mailto:wi...@haproxy.org>> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2e 3 Dec 2015 Running on OpenSSL version : OpenSSL 1.0.2e 3 Dec 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built without PCRE support (using libc's regex instead) Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. $> ./haproxy -f ./tls-test-haproxy.cfg -c *** buffer overflow detected ***: ./haproxy terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f59577da38f] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f5957871c9c] /lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f5957870b60] /lib/x86_64-linux-gnu/libc.so.6(__stpncpy_chk+0x0)[0x7f595786ffc0] ./haproxy[0x48dc4e] ./haproxy[0x490ec8] ./haproxy[0x493090] ./haproxy[0x4932d1] ./haproxy[0x41e27d] ./haproxy[0x42a680] ./haproxy[0x406676] ./haproxy[0x40490c] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f5957788ec5] ./haproxy[0x405963] ======= Memory map: ======== 00400000-006cb000 r-xp 00000000 08:01 268022 /home/vagrant/haproxy-1.6.2/haproxy 008ca000-008cb000 r--p 002ca000 08:01 268022 /home/vagrant/haproxy-1.6.2/haproxy 008cb000-008dc000 rw-p 002cb000 08:01 268022 /home/vagrant/haproxy-1.6.2/haproxy 008dc000-008ed000 rw-p 00000000 00:00 0 01aee000-01b0f000 rw-p 00000000 00:00 0 [heap] 7f5957551000-7f5957567000 r-xp 00000000 08:01 2286 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f5957567000-7f5957766000 ---p 00016000 08:01 2286 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f5957766000-7f5957767000 rw-p 00015000 08:01 2286 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f5957767000-7f5957922000 r-xp 00000000 08:01 2269 /lib/x86_64-linux-gnu/libc-2.19.so<http://libc-2.19.so> 7f5957922000-7f5957b21000 ---p 001bb000 08:01 2269 /lib/x86_64-linux-gnu/libc-2.19.so<http://libc-2.19.so> 7f5957b21000-7f5957b25000 r--p 001ba000 08:01 2269 /lib/x86_64-linux-gnu/libc-2.19.so<http://libc-2.19.so> 7f5957b25000-7f5957b27000 rw-p 001be000 08:01 2269 /lib/x86_64-linux-gnu/libc-2.19.so<http://libc-2.19.so> 7f5957b27000-7f5957b2c000 rw-p 00000000 00:00 0 7f5957b2c000-7f5957b2f000 r-xp 00000000 08:01 2138 /lib/x86_64-linux-gnu/libdl-2.19.so<http://libdl-2.19.so> 7f5957b2f000-7f5957d2e000 ---p 00003000 08:01 2138 /lib/x86_64-linux-gnu/libdl-2.19.so<http://libdl-2.19.so> 7f5957d2e000-7f5957d2f000 r--p 00002000 08:01 2138 /lib/x86_64-linux-gnu/libdl-2.19.so<http://libdl-2.19.so> 7f5957d2f000-7f5957d30000 rw-p 00003000 08:01 2138 /lib/x86_64-linux-gnu/libdl-2.19.so<http://libdl-2.19.so> 7f5957d30000-7f5957d48000 r-xp 00000000 08:01 2166 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f5957d48000-7f5957f47000 ---p 00018000 08:01 2166 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f5957f47000-7f5957f48000 r--p 00017000 08:01 2166 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f5957f48000-7f5957f49000 rw-p 00018000 08:01 2166 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f5957f49000-7f5957f52000 r-xp 00000000 08:01 2314 /lib/x86_64-linux-gnu/libcrypt-2.19.so<http://libcrypt-2.19.so> 7f5957f52000-7f5958152000 ---p 00009000 08:01 2314 /lib/x86_64-linux-gnu/libcrypt-2.19.so<http://libcrypt-2.19.so> 7f5958152000-7f5958153000 r--p 00009000 08:01 2314 /lib/x86_64-linux-gnu/libcrypt-2.19.so<http://libcrypt-2.19.so> 7f5958153000-7f5958154000 rw-p 0000a000 08:01 2314 /lib/x86_64-linux-gnu/libcrypt-2.19.so<http://libcrypt-2.19.so> 7f5958154000-7f5958182000 rw-p 00000000 00:00 0 7f5958182000-7f59581a5000 r-xp 00000000 08:01 2235 /lib/x86_64-linux-gnu/ld-2.19.so<http://ld-2.19.so> 7f5958396000-7f595839a000 rw-p 00000000 00:00 0 7f59583a0000-7f59583a4000 rw-p 00000000 00:00 0 7f59583a4000-7f59583a5000 r--p 00022000 08:01 2235 /lib/x86_64-linux-gnu/ld-2.19.so<http://ld-2.19.so> 7f59583a5000-7f59583a6000 rw-p 00023000 08:01 2235 /lib/x86_64-linux-gnu/ld-2.19.so<http://ld-2.19.so> 7f59583a6000-7f59583a7000 rw-p 00000000 00:00 0 7ffd11e6a000-7ffd11e8b000 rw-p 00000000 00:00 0 [stack] 7ffd11fae000-7ffd11fb0000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped)