Thanks Bruno,
I'll see if I can get this working.
--
Kevin
On 2020-09-09 9:41 p.m., Bruno Henc wrote:
Hi,
I take it that means theres no internal debug logging for the tls
errors that we can just expose via logfile?
Proof of concept patches are attached with build instructions. You may
wish to edit the haproxy-2.2.3/rules/debian folder to increase the -j
setting to your current number of cores.
The "disambiguate-ssl-handshake-errors-1.patch" only adds additional
error messages for the initial ClientHello processing - realistically,
it's only useful to see if there is no SNI being sent (bots,
healthchecks are the usual offenders).
The "disambiguate-ssl-handshake-errors-2.patch" implements everything
the first patch implements, adds a trash chunk for logging additional
error data to the conn structure, and reuses the SSL error logging
logic from ssl_sock_dump_errors
Practically, this means that memory usage is higher - if I recall
correctly (and it's way to late/early at this point) it's a 16KB
overhead per connection (echo "show pools" | socat stdio
/var/run/haproxy.sock will have a more detailed breakdown). Watching
the output of show pools is recommended - while I haven't noticed a
memory leak, keeping an eye on the trash pool is a good idea.
The fcgi protocol is also affected by the addition of the
extra_err_data. I have to do a smoke test if "proto fcgi" behaves as
expected, or if there's a potential segfault.
The patch works, but it requires more extensive testing. Sharing it
as-is since I might not be able to pursue this further in a
significant way for some time.
The mapping between the error messages and the potential causes can be
a bit obscure, but it's still useful.
E.g. an invalid SNI when using strict-sni maps to:
tls_post_process_client_hello: no shared cipher
If there's a cipher mismatch, this also maps to the above error message.
A protocol version mismatch (e.g. trying TLS1 when only TLS1.2 is
supported) results in:
tls_early_post_process_client_hello: unsupported protocol.
The list of error codes is available upstream at
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/err/openssl.txt#L2774
.
Regarding the packet capture question - exporting libpcap data via
SPOE might be possible. It's an ongoing topic.
Regards,
Bruno
