Looks like this patch works re verifyhost but I think there's still a
problem here. A browser that tries to load an invalid sni name now
produces 4 tries to the backend with about a second delay between each
attempt, amplifying the problem. It also takes a good 5 seconds for the
connections to cleanup/close on failure. Pretty sure this could lead to
resource exhaustion, etc... Perhaps this needs a caching strategy?
[WARNING] 206/160620 (19914) : Health check for server
www-backend-https/app2 succeeded, reason: Layer6 check passed, check
duration: 6ms, status: 3/3 UP.00000000:www-https.accept(0004)=0006 from
[::ffff:<redacted>:33139]
ALPN=<none>00000001:www-https.accept(0004)=0005 from
[::ffff:<redacted>:45709]
ALPN=<none>00000000:www-https.clireq[0006:ffffffff]: GET /
HTTP/1.100000000:www-https.clihdr[0006:ffffffff]: Host:
ssltest.example.ca00000000:www-https.clihdr[0006:ffffffff]: Connection:
keep-alive00000000:www-https.clihdr[0006:ffffffff]:
Upgrade-Insecure-Requests: 100000000:www-https.clihdr[0006:ffffffff]:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115
Safari/537.3600000000:www-https.clihdr[0006:ffffffff]: Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.800000000:www-https.clihdr[0006:ffffffff]:
Accept-Encoding: gzip, deflate,
br00000000:www-https.clihdr[0006:ffffffff]: Accept-Language:
en-US,en;q=0.800000000:www-backend-https.srvrep[0006:0007]: HTTP/1.1 200
OK00000000:www-backend-https.srvhdr[0006:0007]: Date: Wed, 26 Jul 2017
16:06:51 GMT00000000:www-backend-https.srvhdr[0006:0007]: Server:
Apache00000000:www-backend-https.srvhdr[0006:0007]: Vary:
Accept-Encoding00000000:www-backend-https.srvhdr[0006:0007]:
Content-Encoding: gzip00000000:www-backend-https.srvhdr[0006:0007]:
Content-Length: 45800000000:www-backend-https.srvhdr[0006:0007]:
Connection: close00000000:www-backend-https.srvhdr[0006:0007]:
Content-Type: text/html;
charset=UTF-800000000:www-backend-https.srvcls[0006:0007]00000002:www-https.clireq[0006:ffffffff]:
GET /favicon.ico HTTP/1.100000002:www-https.clihdr[0006:ffffffff]: Host:
ssltest.example.ca00000002:www-https.clihdr[0006:ffffffff]: Connection:
keep-alive00000002:www-https.clihdr[0006:ffffffff]: User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/59.0.3071.115
Safari/537.3600000002:www-https.clihdr[0006:ffffffff]: Accept:
image/webp,image/apng,image/*,*/*;q=0.800000002:www-https.clihdr[0006:ffffffff]:
Referer:
https://ssltest.example.ca/00000002:www-https.clihdr[0006:ffffffff]:
Accept-Encoding: gzip, deflate,
br00000002:www-https.clihdr[0006:ffffffff]: Accept-Language:
en-US,en;q=0.800000002:www-backend-https.srvrep[0006:0007]: HTTP/1.1 404
Not Found00000002:www-backend-https.srvhdr[0006:0007]: Date: Wed, 26 Jul
2017 16:06:51 GMT00000002:www-backend-https.srvhdr[0006:0007]: Server:
Apache00000002:www-backend-https.srvhdr[0006:0007]: Content-Length:
20900000002:www-backend-https.srvhdr[0006:0007]: Connection:
close00000002:www-backend-https.srvhdr[0006:0007]: Content-Type:
text/html;
charset=iso-8859-100000002:www-backend-https.srvcls[0006:0007]00000004:www-https.accept(0004)=0007
from [::ffff:<redacted>:41712]
ALPN=<none>00000005:www-https.accept(0004)=0008 from
[::ffff:<redacted>:35597]
ALPN=<none>00000004:www-https.clireq[0007:ffffffff]: GET /
HTTP/1.100000004:www-https.clihdr[0007:ffffffff]: Host:
ssltest-broken.example.ca00000004:www-https.clihdr[0007:ffffffff]:
Connection: keep-alive00000004:www-https.clihdr[0007:ffffffff]:
Upgrade-Insecure-Requests: 100000004:www-https.clihdr[0007:ffffffff]:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115
Safari/537.3600000004:www-https.clihdr[0007:ffffffff]: Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.800000004:www-https.clihdr[0007:ffffffff]:
Accept-Encoding: gzip, deflate,
br00000004:www-https.clihdr[0007:ffffffff]: Accept-Language:
en-US,en;q=0.8*fd[0009] OpenSSL error[0x14090086]
ssl3_get_server_certificate: certificate verify failed****fd[0009]
OpenSSL error[0x14090086] ssl3_get_server_certificate: certificate
verify failed****fd[0009] OpenSSL error[0x14090086]
ssl3_get_server_certificate: certificate verify failed****fd[0009]
OpenSSL error[0x14090086] ssl3_get_server_certificate: certificate
verify
failed*00000004:www-backend-https.clicls[0007:adfd]00000004:www-backend-https.closed[0007:adfd]00000005:www-https.clireq[0008:ffffffff]:
GET /favicon.ico HTTP/1.100000005:www-https.clihdr[0008:ffffffff]: Host:
ssltest-broken.example.ca00000005:www-https.clihdr[0008:ffffffff]:
Connection: keep-alive00000005:www-https.clihdr[0008:ffffffff]:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115
Safari/537.3600000005:www-https.clihdr[0008:ffffffff]: Accept:
image/webp,image/apng,image/*,*/*;q=0.800000005:www-https.clihdr[0008:ffffffff]:
Referer:
https://ssltest-broken.example.ca/00000005:www-https.clihdr[0008:ffffffff]:
Accept-Encoding: gzip, deflate,
br00000005:www-https.clihdr[0008:ffffffff]: Accept-Language:
en-US,en;q=0.800000001:www-https.clicls[0005:ffffffff]00000001:www-https.closed[0005:ffffffff]*fd[0007]
OpenSSL error[0x14090086] ssl3_get_server_certificate: certificate
verify failed****fd[0005] OpenSSL error[0x14090086]
ssl3_get_server_certificate: certificate verify failed****fd[0005]
OpenSSL error[0x14090086] ssl3_get_server_certificate: certificate
verify failed****fd[0005] OpenSSL error[0x14090086]
ssl3_get_server_certificate: certificate verify
failed*00000005:www-backend-https.clicls[0008:adfd]00000005:www-backend-https.closed[0008:adfd]
--
Kevin
On 2017-07-26 5:19 AM, Christopher Faulet wrote:
.Le 25/07/2017 à 19:37, Kevin McArthur a écrit :
Hi Willy,
I cant replicate your results here....
I cloned from git and built the package with the debian/ubuntu build
scripts from
https://launchpad.net/~vbernat/+archive/ubuntu/haproxy-1.7 ...
updating the changelog to add a 1.8-dev2 version and calling
./debian/rules binary to build the package.
The git log shows:
commit 2ab88675ecbf960a6f33ffe9c6a27f264150b201
Author: Willy Tarreau <w...@1wt.eu>
Date: Wed Jul 5 18:23:03 2017 +0200
MINOR: ssl: compare server certificate names to the SNI on
outgoing connections
Hi,
There is a bug in this commit. I checked with openssl 1.0.2l and
1.1.0f and I observed the same behavior than Kevin's one.
SSL_SESSION_get0_hostname seems to always return NULL when the server
returns a default certificate.
It tried to explain why in my commit log.
Kevin, could you check the patch in attachment to confirm it works ?