Hi!

We can not get haproxy-ingress to work with TLS authentication. Only option to get this work is by using force-tlsv12 and then only Chrome works. Problem is TLS handshake decrypt error when using RSA-PSS signature algorithm, handshake fails every time. When we use force-tlsv12, only Chrome will change signature back to pkcs1 and then session is ok. Safari, Edge or IE does not work with any option and they keep offering RSA-PSS signature.

This same CA bundle and cards has been used before with citrix netscaler ingress controller without problems (TLSv1.2). Smart cards are government provided FINEID cards, so we can't test them command line, only by using those cards with browser.

I already discussed with haproxy-ingress builder jcmoraisjr and he suggested us to ask from haproxy mailing list.

Docker image: image: quay.io/jcmoraisjr/haproxy-ingress

# haproxy -vv
HA-Proxy version 2.0.17 2020/07/31 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference   OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1g  21 Apr 2020
Running on OpenSSL version : OpenSSL 1.1.1g  21 Apr 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.35 2020-05-09
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE     mux=H2
              h2 : mode=HTTP       side=FE        mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :
    prometheus-exporter

Available filters :
    [SPOE] spoe
    [COMP] compression
    [CACHE] cache
    [TRACE] trace

haproxy configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-ingress
  namespace: ingress-controller
data:
  ssl-headers-prefix: HTTP_X_SSL
  max-connections: "10000"
#  ssl-options: ssl-min-ver TLSv1.2 no-tls-tickets
#  ssl-options: force-tlsv12 no-tls-tickets
  ssl-options: no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-cipher-suites: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256   #  ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 #  ssl-ciphers: RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384   ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-dh-default-max-size: "2048"
  syslog-endpoint: "10.32.121.202:514"
  syslog-length: "2048"
  http-log-format: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ \\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r\\ ssl_version=%sslv\\ ssl_cypher=%sslc}\\ C_VERIFY=%{+Q}[ssl_c_verify]\\ C_ERR=%{+Q}[ssl_c_err]\\ C_S_DN=%{+Q}[ssl_c_s_dn]\\ C_i_DN=%{+Q}[ssl_c_i_dn]\\ C_key_Alg=%{+Q}[ssl_c_key_alg]\\ C_USED_Bool=%{+Q}[ssl_c_used]\\ C_VERSION=%{+Q}[ssl_c_version]\\ F_i_DN=%{+Q}[ssl_f_i_dn]\\ F_KEY_ALG=%{+Q}[ssl_f_key_alg]\\ F_S_DN=%{+Q}[ssl_f_s_dn]\\ F_SIG_ALG=%{+Q}[ssl_f_sig_alg]\\ F_VERSION=%{+Q}[ssl_f_version]\\ FC=%{+Q}[ssl_fc]\\ FC_ALPN=%{+Q}[ssl_fc_alpn]\\ FC_CIPHER=%{+Q}[ssl_fc_cipher]\\ CIPHERLIST=%{+Q}[ssl_fc_cipherlist_str]\\ FC_HAS_CRT=%{+Q}[ssl_fc_has_crt]\\ FC_HAS_EARLY_Bool=%{+Q}[ssl_fc_has_early]\\ FC_HAS_SNI=%{+Q}[ssl_fc_has_sni]\\ FC_IS_RESUMED_Bool=%{+Q}[ssl_fc_is_resumed]\\ FC_NPN=%{+Q}[ssl_fc_npn]\\ FC_PROTOCOL=%{+Q}[ssl_fc_protocol]\\ FC_SNI=%{+Q}[ssl_fc_sni]\\ C_CA_ERR=%[capture.req.hdr(2)]\\ C_CA_ERR_DEPTH=%[capture.req.hdr(3)]\\ FC_CIPHER=%[capture.req.hdr(4)]"   https-log-format: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %ST\\ %B\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs"
  config-global: |
  config-frontend: |
    capture request header Host len 100
    capture request header User-Agent len 200
    http-request capture ssl_c_ca_err len 2
    http-request capture ssl_c_ca_err_depth len 2
    http-request capture ssl_fc_cipher len 64

  config-backend: |
    http-request set-header X_SSL_CLIENT_VERIFY %[ssl_c_verify]
    http-request set-header X_SSL_CLIENT_DN %{+Q}[ssl_c_s_dn]
    http-request set-header X_SSL_ISSUER_DN %{+Q}[ssl_c_i_dn]

Ingress:
annotations:
    kubernetes.io/ingress.class: haproxy
    ingress.kubernetes.io/auth-tls-secret: default/staging-client-certificate-ca
    ingress.kubernetes.io/auth-tls-verify-client: optional

Any help?

Br,
Jouni


Reply via email to