I recall some issues with LibreSSL and chaining trust. Like it was declared but never worked. we'll see that in runtime if there are such issues
вс, 5 июл. 2020 г. в 16:06, Илья Шипицин <[email protected]>: > nice, all ssl variants build well > https://travis-ci.com/github/chipitsine/haproxy/builds/174323866 > > вс, 5 июл. 2020 г. в 15:48, Gersner <[email protected]>: > >> >> >> On Sun, Jul 5, 2020 at 1:42 PM Илья Шипицин <[email protected]> wrote: >> >>> do you have your patches on github fork ? >>> (I could not find your fork) >>> >> Yes. See branch >> https://github.com/Azure/haproxy/tree/wip/sgersner/ca-sign-extra >> >>> >>> вс, 5 июл. 2020 г. в 15:13, Gersner <[email protected]>: >>> >>>> >>>> >>>> On Sun, Jul 5, 2020 at 12:28 PM Илья Шипицин <[email protected]> >>>> wrote: >>>> >>>>> does it clearly applies to current master ? either gmail scrambled >>>>> patch or it is not. >>>>> can you try please ? >>>>> >>>> Exporting the eml and running 'git am' it works cleanly. >>>> >>>> I've reproduced the exact same output when copy-pasting from gmail. It >>>> seems gmail converts the tabs to spaces and this fails the patch (Not sure >>>> why). >>>> Running patch with '-l' will resolve this, but it's probably safer to >>>> run git am on the email. >>>> >>>> >>>>> >>>>> $ patch -p1 < 1.patch >>>>> patching file doc/configuration.txt >>>>> patching file include/haproxy/listener-t.h >>>>> Hunk #1 FAILED at 163. >>>>> 1 out of 1 hunk FAILED -- saving rejects to file >>>>> include/haproxy/listener-t.h.rej >>>>> patching file src/cfgparse-ssl.c >>>>> Hunk #1 succeeded at 538 with fuzz 1. >>>>> Hunk #2 FAILED at 1720. >>>>> 1 out of 2 hunks FAILED -- saving rejects to file >>>>> src/cfgparse-ssl.c.rej >>>>> patching file src/ssl_sock.c >>>>> Hunk #1 FAILED at 1750. >>>>> Hunk #2 FAILED at 1864. >>>>> Hunk #3 FAILED at 1912. >>>>> Hunk #4 FAILED at 1943. >>>>> Hunk #5 FAILED at 1970. >>>>> Hunk #6 FAILED at 4823. >>>>> Hunk #7 FAILED at 4843. >>>>> 7 out of 7 hunks FAILED -- saving rejects to file src/ssl_sock.c.rej >>>>> >>>>> вс, 5 июл. 2020 г. в 11:46, <[email protected]>: >>>>> >>>>>> From: Shimi Gersner <[email protected]> >>>>>> >>>>>> haproxy supports generating SSL certificates based on SNI using a >>>>>> provided >>>>>> CA signing certificate. Because CA certificates may be signed by >>>>>> multiple >>>>>> CAs, in some scenarios, it is neccesary for the server to attach the >>>>>> trust chain >>>>>> in addition to the generated certificate. >>>>>> >>>>>> The following patch adds the ability to optionally serve all public >>>>>> certificates provided in the `ca-sign-file` PEM file. >>>>>> Certificate loading was ported to use `ca_sign_use_chain` structure, >>>>>> instead of directly reading public/private keys. >>>>>> --- >>>>>> doc/configuration.txt | 8 +++ >>>>>> include/haproxy/listener-t.h | 4 +- >>>>>> src/cfgparse-ssl.c | 13 +++++ >>>>>> src/ssl_sock.c | 98 >>>>>> ++++++++++++++++++++---------------- >>>>>> 4 files changed, 78 insertions(+), 45 deletions(-) >>>>>> >>>>>> diff --git a/doc/configuration.txt b/doc/configuration.txt >>>>>> index 6d472134e..1d3878bc1 100644 >>>>>> --- a/doc/configuration.txt >>>>>> +++ b/doc/configuration.txt >>>>>> @@ -12158,6 +12158,14 @@ ca-sign-pass <passphrase> >>>>>> the dynamic generation of certificates is enabled. See >>>>>> 'generate-certificates' for details. >>>>>> >>>>>> +ca-sign-use-chain >>>>>> + This setting is only available when support for OpenSSL was built >>>>>> in. It is >>>>>> + the CA private key passphrase. This setting is optional and used >>>>>> only when >>>>>> + the dynamic generation of certificates is enabled. See >>>>>> + 'generate-certificates' for details. >>>>>> + Enabling this flag will attach all public certificates encoded in >>>>>> `ca-sign-file` >>>>>> + to the served certificate to the client, enabling trust. >>>>>> + >>>>>> ca-verify-file <cafile> >>>>>> This setting designates a PEM file from which to load CA >>>>>> certificates used to >>>>>> verify client's certificate. It designates CA certificates which >>>>>> must not be >>>>>> diff --git a/include/haproxy/listener-t.h >>>>>> b/include/haproxy/listener-t.h >>>>>> index 224e32513..38ca2839f 100644 >>>>>> --- a/include/haproxy/listener-t.h >>>>>> +++ b/include/haproxy/listener-t.h >>>>>> @@ -163,8 +163,8 @@ struct bind_conf { >>>>>> char *ca_sign_file; /* CAFile used to generate and >>>>>> sign server certificates */ >>>>>> char *ca_sign_pass; /* CAKey passphrase */ >>>>>> >>>>>> - X509 *ca_sign_cert; /* CA certificate referenced by >>>>>> ca_file */ >>>>>> - EVP_PKEY *ca_sign_pkey; /* CA private key referenced by >>>>>> ca_key */ >>>>>> + int ca_sign_use_chain; /* Optionally attached the >>>>>> certificate chain to the served certificate */ >>>>>> + struct cert_key_and_chain * ca_sign_ckch; /* CA and >>>>>> possible certificate chain for ca generation */ >>>>>> #endif >>>>>> struct proxy *frontend; /* the frontend all these >>>>>> listeners belong to, or NULL */ >>>>>> const struct mux_proto_list *mux_proto; /* the mux to use for >>>>>> all incoming connections (specified by the "proto" keyword) */ >>>>>> diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c >>>>>> index 144cef882..270c857f9 100644 >>>>>> --- a/src/cfgparse-ssl.c >>>>>> +++ b/src/cfgparse-ssl.c >>>>>> @@ -538,6 +538,18 @@ static int bind_parse_ca_sign_file(char **args, >>>>>> int cur_arg, struct proxy *px, s >>>>>> return 0; >>>>>> } >>>>>> >>>>>> +/* parse the "ca-sign-use-chain" bind keyword */ >>>>>> +static int bind_parse_ca_sign_use_chain(char **args, int cur_arg, >>>>>> struct proxy *px, struct bind_conf *conf, char **err) >>>>>> +{ >>>>>> +#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined >>>>>> SSL_NO_GENERATE_CERTIFICATES && defined SSL_CTX_set1_chain) >>>>>> + conf->ca_sign_use_chain = 1; >>>>>> +#else >>>>>> + memprintf(err, "%sthis version of openssl cannot attach >>>>>> certificate chain for SSL certificate generation.\n", >>>>>> + err && *err ? *err : ""); >>>>>> +#endif >>>>>> + return 0; >>>>>> +} >>>>>> + >>>>>> /* parse the "ca-sign-pass" bind keyword */ >>>>>> static int bind_parse_ca_sign_pass(char **args, int cur_arg, struct >>>>>> proxy *px, struct bind_conf *conf, char **err) >>>>>> { >>>>>> @@ -1708,6 +1720,7 @@ static struct bind_kw_list bind_kws = { "SSL", >>>>>> { }, { >>>>>> { "ca-ignore-err", bind_parse_ignore_err, 1 >>>>>> }, /* set error IDs to ignore on verify depth > 0 */ >>>>>> { "ca-sign-file", bind_parse_ca_sign_file, 1 >>>>>> }, /* set CAFile used to generate and sign server certs */ >>>>>> { "ca-sign-pass", bind_parse_ca_sign_pass, 1 >>>>>> }, /* set CAKey passphrase */ >>>>>> + { "ca-sign-use-chain", bind_parse_ca_sign_use_chain, 1 >>>>>> }, /* enable attaching ca chain to generated certificate */ >>>>>> { "ciphers", bind_parse_ciphers, 1 >>>>>> }, /* set SSL cipher suite */ >>>>>> #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) >>>>>> { "ciphersuites", bind_parse_ciphersuites, 1 >>>>>> }, /* set TLS 1.3 cipher suite */ >>>>>> diff --git a/src/ssl_sock.c b/src/ssl_sock.c >>>>>> index a32db1a28..54829eb98 100644 >>>>>> --- a/src/ssl_sock.c >>>>>> +++ b/src/ssl_sock.c >>>>>> @@ -1750,8 +1750,8 @@ static int ssl_sock_advertise_alpn_protos(SSL >>>>>> *s, const unsigned char **out, >>>>>> static SSL_CTX * >>>>>> ssl_sock_do_create_cert(const char *servername, struct bind_conf >>>>>> *bind_conf, SSL *ssl) >>>>>> { >>>>>> - X509 *cacert = bind_conf->ca_sign_cert; >>>>>> - EVP_PKEY *capkey = bind_conf->ca_sign_pkey; >>>>>> + X509 *cacert = bind_conf->ca_sign_ckch->cert; >>>>>> + EVP_PKEY *capkey = bind_conf->ca_sign_ckch->key; >>>>>> SSL_CTX *ssl_ctx = NULL; >>>>>> X509 *newcrt = NULL; >>>>>> EVP_PKEY *pkey = NULL; >>>>>> @@ -1864,6 +1864,16 @@ ssl_sock_do_create_cert(const char >>>>>> *servername, struct bind_conf *bind_conf, SSL >>>>>> if (!SSL_CTX_check_private_key(ssl_ctx)) >>>>>> goto mkcert_error; >>>>>> >>>>>> + /* Assign chain if any */ >>>>>> + if (bind_conf->ca_sign_use_chain && >>>>>> bind_conf->ca_sign_ckch->chain) { >>>>>> + if (!SSL_CTX_set1_chain(ssl_ctx, >>>>>> bind_conf->ca_sign_ckch->chain)) { >>>>>> + goto mkcert_error; >>>>>> + } >>>>>> + if (!SSL_CTX_add1_chain_cert(ssl_ctx, >>>>>> bind_conf->ca_sign_ckch->cert)) { >>>>>> + goto mkcert_error; >>>>>> + } >>>>>> + } >>>>>> + >>>>>> if (newcrt) X509_free(newcrt); >>>>>> >>>>>> #ifndef OPENSSL_NO_DH >>>>>> @@ -1912,7 +1922,7 @@ ssl_sock_assign_generated_cert(unsigned int >>>>>> key, struct bind_conf *bind_conf, SS >>>>>> >>>>>> if (ssl_ctx_lru_tree) { >>>>>> HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, >>>>>> &ssl_ctx_lru_rwlock); >>>>>> - lru = lru64_lookup(key, ssl_ctx_lru_tree, >>>>>> bind_conf->ca_sign_cert, 0); >>>>>> + lru = lru64_lookup(key, ssl_ctx_lru_tree, >>>>>> bind_conf->ca_sign_ckch->cert, 0); >>>>>> if (lru && lru->domain) { >>>>>> if (ssl) >>>>>> SSL_set_SSL_CTX(ssl, (SSL_CTX >>>>>> *)lru->data); >>>>>> @@ -1943,14 +1953,14 @@ ssl_sock_set_generated_cert(SSL_CTX *ssl_ctx, >>>>>> unsigned int key, struct bind_conf >>>>>> >>>>>> if (ssl_ctx_lru_tree) { >>>>>> HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, >>>>>> &ssl_ctx_lru_rwlock); >>>>>> - lru = lru64_get(key, ssl_ctx_lru_tree, >>>>>> bind_conf->ca_sign_cert, 0); >>>>>> + lru = lru64_get(key, ssl_ctx_lru_tree, >>>>>> bind_conf->ca_sign_ckch->cert, 0); >>>>>> if (!lru) { >>>>>> HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, >>>>>> &ssl_ctx_lru_rwlock); >>>>>> return -1; >>>>>> } >>>>>> if (lru->domain && lru->data) >>>>>> lru->free((SSL_CTX *)lru->data); >>>>>> - lru64_commit(lru, ssl_ctx, bind_conf->ca_sign_cert, >>>>>> 0, (void (*)(void *))SSL_CTX_free); >>>>>> + lru64_commit(lru, ssl_ctx, >>>>>> bind_conf->ca_sign_ckch->cert, 0, (void (*)(void *))SSL_CTX_free); >>>>>> HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, >>>>>> &ssl_ctx_lru_rwlock); >>>>>> return 0; >>>>>> } >>>>>> @@ -1970,7 +1980,7 @@ ssl_sock_generated_cert_key(const void *data, >>>>>> size_t len) >>>>>> static int >>>>>> ssl_sock_generate_certificate(const char *servername, struct >>>>>> bind_conf *bind_conf, SSL *ssl) >>>>>> { >>>>>> - X509 *cacert = bind_conf->ca_sign_cert; >>>>>> + X509 *cacert = bind_conf->ca_sign_ckch->cert; >>>>>> SSL_CTX *ssl_ctx = NULL; >>>>>> struct lru64 *lru = NULL; >>>>>> unsigned int key; >>>>>> @@ -4823,13 +4833,12 @@ int >>>>>> ssl_sock_load_ca(struct bind_conf *bind_conf) >>>>>> { >>>>>> struct proxy *px = bind_conf->frontend; >>>>>> - FILE *fp; >>>>>> - X509 *cacert = NULL; >>>>>> - EVP_PKEY *capkey = NULL; >>>>>> - int err = 0; >>>>>> + struct cert_key_and_chain *ckch = NULL; >>>>>> + int ret = 0; >>>>>> + char *err = NULL; >>>>>> >>>>>> if (!bind_conf->generate_certs) >>>>>> - return err; >>>>>> + return ret; >>>>>> >>>>>> #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined >>>>>> SSL_NO_GENERATE_CERTIFICATES) >>>>>> if (global_ssl.ctx_cache) { >>>>>> @@ -4843,52 +4852,55 @@ ssl_sock_load_ca(struct bind_conf *bind_conf) >>>>>> ha_alert("Proxy '%s': cannot enable certificate >>>>>> generation, " >>>>>> "no CA certificate File configured at >>>>>> [%s:%d].\n", >>>>>> px->id, bind_conf->file, bind_conf->line); >>>>>> - goto load_error; >>>>>> + goto failed; >>>>>> } >>>>>> >>>>>> - /* read in the CA certificate */ >>>>>> - if (!(fp = fopen(bind_conf->ca_sign_file, "r"))) { >>>>>> - ha_alert("Proxy '%s': Failed to read CA certificate >>>>>> file '%s' at [%s:%d].\n", >>>>>> - px->id, bind_conf->ca_sign_file, >>>>>> bind_conf->file, bind_conf->line); >>>>>> - goto load_error; >>>>>> + /* Allocate cert structure */ >>>>>> + ckch = calloc(1, sizeof(struct cert_key_and_chain)); >>>>>> + if (!ckch) { >>>>>> + ha_alert("Proxy '%s': Failed to read CA certificate >>>>>> file '%s' at [%s:%d]. Chain allocation failure\n", >>>>>> + px->id, bind_conf->ca_sign_file, >>>>>> bind_conf->file, bind_conf->line); >>>>>> } >>>>>> - if (!(cacert = PEM_read_X509(fp, NULL, NULL, NULL))) { >>>>>> - ha_alert("Proxy '%s': Failed to read CA certificate >>>>>> file '%s' at [%s:%d].\n", >>>>>> - px->id, bind_conf->ca_sign_file, >>>>>> bind_conf->file, bind_conf->line); >>>>>> - goto read_error; >>>>>> + >>>>>> + /* Try to parse file */ >>>>>> + if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, >>>>>> ckch, &err)) { >>>>>> + ha_alert("Proxy '%s': Failed to read CA certificate >>>>>> file '%s' at [%s:%d]. Chain loading failed: %s\n", >>>>>> + px->id, bind_conf->ca_sign_file, >>>>>> bind_conf->file, bind_conf->line, err); >>>>>> + if (err) free(err); >>>>>> + goto failed; >>>>>> } >>>>>> - rewind(fp); >>>>>> - if (!(capkey = PEM_read_PrivateKey(fp, NULL, NULL, >>>>>> bind_conf->ca_sign_pass))) { >>>>>> - ha_alert("Proxy '%s': Failed to read CA private key >>>>>> file '%s' at [%s:%d].\n", >>>>>> - px->id, bind_conf->ca_sign_file, >>>>>> bind_conf->file, bind_conf->line); >>>>>> - goto read_error; >>>>>> + >>>>>> + /* Fail if missing cert or pkey */ >>>>>> + if ((!ckch->cert) || (!ckch->key)) { >>>>>> + ha_alert("Proxy '%s': Failed to read CA certificate >>>>>> file '%s' at [%s:%d]. Chain missing certificate or private key\n", >>>>>> + px->id, bind_conf->ca_sign_file, >>>>>> bind_conf->file, bind_conf->line); >>>>>> + goto failed; >>>>>> } >>>>>> >>>>>> - fclose (fp); >>>>>> - bind_conf->ca_sign_cert = cacert; >>>>>> - bind_conf->ca_sign_pkey = capkey; >>>>>> - return err; >>>>>> + /* Final assignment to bind */ >>>>>> + bind_conf->ca_sign_ckch = ckch; >>>>>> + return ret; >>>>>> + >>>>>> + failed: >>>>>> + if (ckch) { >>>>>> + ssl_sock_free_cert_key_and_chain_contents(ckch); >>>>>> + free(ckch); >>>>>> + } >>>>>> >>>>>> - read_error: >>>>>> - fclose (fp); >>>>>> - if (capkey) EVP_PKEY_free(capkey); >>>>>> - if (cacert) X509_free(cacert); >>>>>> - load_error: >>>>>> bind_conf->generate_certs = 0; >>>>>> - err++; >>>>>> - return err; >>>>>> + ret++; >>>>>> + return ret; >>>>>> } >>>>>> >>>>>> /* Release CA cert and private key used to generate certificated */ >>>>>> void >>>>>> ssl_sock_free_ca(struct bind_conf *bind_conf) >>>>>> { >>>>>> - if (bind_conf->ca_sign_pkey) >>>>>> - EVP_PKEY_free(bind_conf->ca_sign_pkey); >>>>>> - if (bind_conf->ca_sign_cert) >>>>>> - X509_free(bind_conf->ca_sign_cert); >>>>>> - bind_conf->ca_sign_pkey = NULL; >>>>>> - bind_conf->ca_sign_cert = NULL; >>>>>> + if (bind_conf->ca_sign_ckch) { >>>>>> + >>>>>> ssl_sock_free_cert_key_and_chain_contents(bind_conf->ca_sign_ckch); >>>>>> + free(bind_conf->ca_sign_ckch); >>>>>> + bind_conf->ca_sign_ckch = NULL; >>>>>> + } >>>>>> } >>>>>> >>>>>> /* >>>>>> -- >>>>>> 2.27.0 >>>>>> >>>>>> >>>>>>
