Hi Grant,

On 03/15/2017 06:20 PM, Grant Zhang wrote:
> Hi Emeric
>> On Mar 15, 2017, at 10:05, Emeric Brun <[email protected]> wrote:
>>
>> Hi John,
>>
>>>>
>>>> There is some inconsistencies between the engine and the used client:
>>>>
>>>> here the conf:
>>>> global
>>>>       tune.ssl.default-dh-param 2048
>>>>       ssl-engine qat
>>>>       ssl-async
>>>>
>>>> listen gg
>>>>       mode http
>>>>       bind 0.0.0.0:8443 ssl crt /root/2048.pem
>>>>       redirect location /
>>>>
>>>> openssl s_client -connect performs well but curl failed:
>>>> emeric@ebr-laptop:~/inject$ curl -k  https://10.0.0.109:8443/
>>>> curl: (35) gnutls_handshake() failed: Bad record MAC
>>>>
>>>>
>>>> If I comment the ssl-engine line, no more issue.
>>>>
>>>> R,
>>>> Emeric
>>>>
>>>> the conf:
>>>>
>>>>
>>>>
>>>>
>>
>> I'm not sure that the issue is related to your patch, i may reach an issue 
>> int QAT engine
>>
>> I've made some test using openssl s_server.
>>
>> Doing a curl request shows this error:
>> [root@centos bin]# ./openssl s_server -accept 9443 -engine qat -cert 
>> /root/2048.pem 
>> ERROR
>> 140267076605760:error:1408F119:SSL routines:ssl3_get_record:decryption 
>> failed or bad record mac:ssl/record/ssl3_record.c:602:
>> shutting down SSL
>> CONNECTION CLOSED
>>
>> And using the haproxy as client also fails with this error:
>> 140267076605760:error:800910C8:lib(128):qat_rsa_priv_enc:rsa from to 
>> null:qat_rsa.c:917:
>> 140267076605760:error:141EC044:SSL 
>> routines:tls_construct_server_key_exchange:internal 
>> error:ssl/statem/statem_srvr.c:2453:
>> shutting down SSL
>> CONNECTION CLOSED
>>
>> R,
>> Emeric
> 
> Maybe you run into the openssl 1.1 SNI issue. Does your test branch have the 
> following patch:
> http://git.haproxy.org/?p=haproxy.git;a=commit;h=d3850603933c9319528375088a9b28b9b345246b
>  
> 
> If not, could you please give a try?
> 
> Thanks,
> 
> Grant
> 
> 

Indeed, I haven't this patch. But it seems that the issue is related to the qat 
engine:
I'm unable to perform a complete handshake using curl or haproxy ssl client 
mode with openssl s_server -engine qat (no issue without the engine).

I'm currently talking with intel guys and trying to solve it.

I'll keep you informed

R,
Emeric




Reply via email to