Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

[Dave Zhu (yanbzhu)]

Hey Bryan,

I believe I have gotten to the bottom of the behavior that you are seeing:


  1.  0.9.8 client cannot connect to dual cert port: This was a bug on my part. 
I neglected to set a DHE keys for the SSL_CTX with multiple certs. I’ve 
attached another set of patches (1-5 are identical, 6 is new) that fixes this.
  2.  ECC capable client does not use ECC cipher: I believe this is due to your 
test configuration. Openssl prefers RSA ciphers by default, and so if you don’t 
specify an ECC cipher first, it will always pick an RSA cipher. Your test uses 
"./openssl-1.0.2e/apps/openssl s_client -connect 127.0.0.1:8443” as the 
command, which will use the default cipher list. Try specifying an ECC cipher 
as the first cipher and it should work.

Please take a look.

-Dave

From: Bryan Talbot <bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>>
Date: Monday, December 7, 2015 at 5:58 PM
To: Willy Tarreau <w...@1wt.eu<mailto:w...@1wt.eu>>
Cc: Yanbo Zhu <yanb...@cisco.com<mailto:yanb...@cisco.com>>, Olivier Doucet 
<webmas...@ajeux.com<mailto:webmas...@ajeux.com>>, Emeric Brun 
<eb...@haproxy.com<mailto:eb...@haproxy.com>>, Lukas Tribus 
<luky...@hotmail.com<mailto:luky...@hotmail.com>>, Remi Gacogne 
<rgaco...@coredump.fr<mailto:rgaco...@coredump.fr>>, Nenad Merdanovic 
<ni...@nimzo.info<mailto:ni...@nimzo.info>>, 
"haproxy@formilux.org<mailto:haproxy@formilux.org>" 
<haproxy@formilux.org<mailto:haproxy@formilux.org>>, Bryan Talbot 
<bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>>
Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Glad you were able to get to the bottom of the crash.

With the newest 5 patches, I'm still not seeing the behavior I am expecting. To 
make my testing and expectations hopefully more clear, I've pushed them to 
github (https://github.com/btalbot/dual-stack-test)  From a laptop with Vagrant 
installed, it should be a simple process to provision a host for testing and 
run the test script.

What I am expecting is that OpenSSL 0.9.8 client will be able to connect to an 
haproxy port that is bound to both ECDSA and RSA certificates. This doesn't 
work for me and the connection fails the SSL handshake.

I'm also expecting that a newer OpenSSL which support ECC will connect AND 
negotiate and use the 256 bit ECDSA certificate and not the RSA cert. My tests 
always show the ECC capable client still getting the RSA certificate.



-Bryan




On Mon, Dec 7, 2015 at 1:44 PM, Willy Tarreau <w...@1wt.eu<mailto:w...@1wt.eu>> 
wrote:
On Mon, Dec 07, 2015 at 08:48:53PM +0000, Dave Zhu (yanbzhu) wrote:
> Hey Willy
>
> On 12/7/15, 3:11 PM, "Willy Tarreau" <w...@1wt.eu<mailto:w...@1wt.eu>> wrote:
> >
> >Yep, thanks for the pointer. So indeed gcc's inline version of strncpy
> >*is*
> >bogus. strncpy() has no right to guess the destination size.
> >
> >I suspect that if you just do this it would work (prefix the array with
> >'&'
> >and use [0] :
> >
> >   strncpy((char *)&s_kt->name.key[0], trash.str, i);
> >
> >Thanks,
> >Willy
>
> You would be correct in this guess :)
>
> So what零 the preference? Should I change it to use this weird version of
> strcpy, or change it to memcpy?

I'd prefer the memcpy() anyway. Please keep your comment and add the
link to gcc's bugzilla so that nobody is tempted to change this later
for any reason, and please mention that it's the inlined version of
strncpy() which refuses to write into a char[0].

You have my full support if you want to add some dirty words there to
express your feelings about the compiler which dies on valid C code...

Thanks,
Willy

0001-MINOR-ssl-Added-cert_key_and_chain-struct.patch
Description: 0001-MINOR-ssl-Added-cert_key_and_chain-struct.patch

0002-MEDIUM-ssl-Added-support-for-creating-SSL_CTX-with-m.patch
Description: 0002-MEDIUM-ssl-Added-support-for-creating-SSL_CTX-with-m.patch

0003-MINOR-ssl-Added-multi-cert-support-for-crt-list-conf.patch
Description: 0003-MINOR-ssl-Added-multi-cert-support-for-crt-list-conf.patch

0004-BUG-MINOR-ssl-Fixed-code-that-crashed-under-optimiza.patch
Description: 0004-BUG-MINOR-ssl-Fixed-code-that-crashed-under-optimiza.patch

0005-MINOR-ssl-Clean-up-unused-code-fixed-spelling-error.patch
Description: 0005-MINOR-ssl-Clean-up-unused-code-fixed-spelling-error.patch

0006-BUG-MINOR-ssl-Fixed-error-where-multi-certs-didn-t-s.patch
Description: 0006-BUG-MINOR-ssl-Fixed-error-where-multi-certs-didn-t-s.patch