> Le 7 mars 2017 à 19:49, Willy Tarreau <[email protected]> a écrit : > > On Tue, Mar 07, 2017 at 07:09:30PM +0100, Emmanuel Hocdet wrote: >> Use case is to send the fingerprint on backend and associate it with the user >> agent or anything else to analyse the security level of the connection , >> detect man >> in the middle, ... And yes the need is to avoid false positif! >> >> Fingerprint of the cipher-list only is not enough. Perhaps in another >> capture sample >> 'fingerprintTLS'. >> >> You ca also have sha256 in capture and generate a int for haproxy counters >> usage. > > Then you just need to add a sha256 converter and apply it to the binary > block. It's pointless to waste so much memory for a very specific use case > that can be implemented with the way samples already work. But if you're > going to take something that large, it might even be preferable to keep > the binary block as-is. >
No because the block can be truncated, sample must be stored in a variable size
buffer
to fix that. Do fingerprint earlier avoid such manipulation.
With this example it's now easy to add another sample. I would do it as needed
:)
>>>> For the code:
>>>> ssl->msg_callback_arg is considering as ssl internal. It should be a very
>>>> good
>>>> think to avoid internal structures/undocumented call usage to try to
>>>> control the
>>>> beast or limit painful compatibilities.
>>>> In this case SSL_set_ex_data and SSL_get_ex_data will do the job.
>>>
>>> Ah yes definitely, thanks for reporting this. I guess that openssl 1.1 will
>>> complain with a warning because of this.
>>>
>>>> I will try to fix the patch, it breaks my compile environment.
>>>
>>
>> and the patch:
>
> Thanks. Hmmm comments below :
>
> @@ -4541,13 +4522,8 @@ static int ssl_sock_from_buf(struct connection *conn,
> struct buffer *buf, int fl
> }
>
> static void ssl_sock_close(struct connection *conn) {
> - struct ssl_capture *capture;
>
> if (conn->xprt_ctx) {
> -#if OPENSSL_VERSION_NUMBER >= 0x00907000L
> - capture = SSL_get_msg_callback_arg(conn->xprt_ctx);
> - pool_free2(pool2_ssl_capture, capture);
> -#endif
>
> This strongly looks like a memory leak to me, it looks like instead
> you want this :
>
> capture = SSL_get_ex_data(conn->xprt_ctx,
> ssl_capture_ptr_index);
> pool_free2(pool2_ssl_capture, capture);
It’s done via callback when SSL is freeing:
ssl_capture_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
NULL, ssl_sock_capture_free_func);
(SSL_CTX_get_ex_new_index/SSL_get_ex_new_index do exactly the same job)
And patch candidate to apply next.
0001-MINOR-ssl-improved-cipherlist-captures.patch
Description: Binary data
Manu
