Move ../test/recipes/80-test_ssl_new.t outside of the build root. That means "throw out". rm -f ../test/recipes/80-test_ssl_new.t also works.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, September 15, 2020 8:28 PM, vcjouni <[email protected]> wrote: > Hi, > > I tested for openssl-1.1.1g.tar.gz from openssl.org in Linux Mint 19.3: > > $ patch -p1 < reorder-sigalgs.patch > patching file ssl/t1_lib.c > > ./config > > make > > make test > > Test Summary Report > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > ../test/recipes/80-test_ssl_new.t (Wstat: 256 Tests: 29 > Failed: 1) > Failed test: 20 > Non-zero exit status: 1 > Files=155, Tests=1466, 76 wallclock secs ( 1.74 usr 0.10 sys + 75.96 > cusr 9.72 csys = 87.52 CPU) > Result: FAIL > Makefile:207: recipe for target '_tests' failed > > What did you mean by thrown that test out? Now that test failed. > > Br, > > Jouni > > On 9/15/20 4:36 PM, Bruno Henc wrote: > > > Hi, > > Last time I saw this error it involved TLS decryption by firewalls that > > didn't support RSA-PSS. Why they blow up > > when the new, more secure RSA-PSS signature algorithms are used beats me, > > but it's principally on them for not supporting the latest IETF standards. > > Attached is a patch that reorders the signature algorithms > > in openssl 1.1.1 so that the pkcs1 ones are first. Also, > > the test/recipes/80-test_ssl_new.t test needs to be thrown out for this to > > work. I would recommend trying to get this to work without docker and > > kubernetes first, and using the -d haproxy option to get more detailed > > OpenSSL logging. > > It is also likely you will need to set ssl-default-bind-curves since the > > firewalls in question do not support curve x25519 either. This is a HAProxy > > 2.2 option (https://www.haproxy.com/blog/announcing-haproxy-2-2/). > > ssl-default-bind-curves P-256 should/could the trick, although tuning this > > to include all supported curves should be done for production traffic. > > As for implementing this in HAProxy, SSL_CTX_set1_sigalgs_list could be > > used in the part of the code that initializes the TLS connection, but it > > seems that somewhere in the handshake code the signature algorithms get > > renegotiated. > > I haven't had any luck in identifying where exactly this renegotiation > > happens. Someone else might have more luck in writing up a patch that adds > > a "sigalgs" or similarly named option to adjust the signature algorithms. > > Regards, > > Bruno > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Tuesday, September 15, 2020 1:45 PM, vcjouni > > [email protected] wrote: > > > > > Hi! > > > We can not get haproxy-ingress to work with TLS authentication. Only > > > option to get this work is by using force-tlsv12 and then only Chrome > > > works. Problem is TLS handshake decrypt error when using RSA-PSS > > > signature algorithm, handshake fails every time. When we use > > > force-tlsv12, only Chrome will change signature back to pkcs1 and then > > > session is ok. Safari, Edge or IE does not work with any option and they > > > keep offering RSA-PSS signature. > > > This same CA bundle and cards has been used before with citrix netscaler > > > ingress controller without problems (TLSv1.2). Smart cards are > > > government provided FINEID cards, so we can't test them command line, > > > only by using those cards with browser. > > > I already discussed with haproxy-ingress builder jcmoraisjr and he > > > suggested us to ask from haproxy mailing list. > > > Docker image: image: quay.io/jcmoraisjr/haproxy-ingress > > > haproxy -vv > > > ============ > > > HA-Proxy version 2.0.17 2020/07/31 - https://haproxy.org/ > > > Build options : > > > TARGET = linux-glibc > > > CPU = generic > > > CC = gcc > > > CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement > > > -fwrapv -Wno-address-of-packed-member -Wno-unused-label > > > -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration > > > -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers > > > -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type > > > -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 > > > -Wduplicated-cond -Wnull-dereference > > > OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 > > > USE_LUA=1 USE_ZLIB=1 > > > Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE > > > -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD > > > -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY > > > +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO > > > +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO > > > +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER > > > +PRCTL +THREAD_DUMP -EVPORTS > > > Default settings : > > > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > > Built with multi-threading support (MAX_THREADS=64, default=2). > > > Built with OpenSSL version : OpenSSL 1.1.1g 21 Apr 2020 > > > Running on OpenSSL version : OpenSSL 1.1.1g 21 Apr 2020 > > > OpenSSL library supports TLS extensions : yes > > > OpenSSL library supports SNI : yes > > > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 > > > Built with Lua version : Lua 5.3.5 > > > Built with network namespace support. > > > Built with transparent proxy support using: IP_TRANSPARENT > > > IPV6_TRANSPARENT IP_FREEBIND > > > Built with zlib version : 1.2.11 > > > Running on zlib version : 1.2.11 > > > Compression algorithms supported : identity("identity"), > > > deflate("deflate"), raw-deflate("deflate"), gzip("gzip") > > > Built with PCRE2 version : 10.35 2020-05-09 > > > PCRE2 library supports JIT : yes > > > Encrypted password support via crypt(3): yes > > > Built with the Prometheus exporter as a service > > > Available polling systems : > > > epoll : pref=300, test result OK > > > poll : pref=200, test result OK > > > select : pref=150, test result OK > > > Total: 3 (3 usable), will use epoll. > > > Available multiplexer protocols : > > > (protocols marked as <default> cannot be specified using 'proto' keyword) > > > h2 : mode=HTX side=FE|BE mux=H2 > > > h2 : mode=HTTP side=FE mux=H2 > > > <default> : mode=HTX side=FE|BE mux=H1 > > > <default> : mode=TCP|HTTP side=FE|BE mux=PASS > > > Available services : > > > prometheus-exporter > > > Available filters : > > > [SPOE] spoe > > > [COMP] compression > > > [CACHE] cache > > > [TRACE] trace > > > haproxy configmap: > > > apiVersion: v1 > > > kind: ConfigMap > > > metadata: > > > name: haproxy-ingress > > > namespace: ingress-controller > > > data: > > > ssl-headers-prefix: HTTP_X_SSL > > > max-connections: "10000" > > > # ssl-options: ssl-min-ver TLSv1.2 no-tls-tickets > > > # ssl-options: force-tlsv12 no-tls-tickets > > > ssl-options: no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets > > > ssl-cipher-suites: > > > TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 > > > # ssl-ciphers: > > > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 > > > # ssl-ciphers: > > > RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384 > > > ssl-ciphers: > > > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 > > > ssl-dh-default-max-size: "2048" > > > syslog-endpoint: "10.32.121.202:514" > > > syslog-length: "2048" > > > http-log-format: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ > > > %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ \\ %CS\\ %tsc\\ > > > %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r\\ ssl_version=%sslv\\ > > > ssl_cypher=%sslc}\\ C_VERIFY=%{+Q}[ssl_c_verify]\\ > > > C_ERR=%{+Q}[ssl_c_err]\\ C_S_DN=%{+Q}[ssl_c_s_dn]\\ > > > C_i_DN=%{+Q}[ssl_c_i_dn]\\ C_key_Alg=%{+Q}[ssl_c_key_alg]\\ > > > C_USED_Bool=%{+Q}[ssl_c_used]\\ C_VERSION=%{+Q}[ssl_c_version]\\ > > > F_i_DN=%{+Q}[ssl_f_i_dn]\\ F_KEY_ALG=%{+Q}[ssl_f_key_alg]\\ > > > F_S_DN=%{+Q}[ssl_f_s_dn]\\ F_SIG_ALG=%{+Q}[ssl_f_sig_alg]\\ > > > F_VERSION=%{+Q}[ssl_f_version]\\ FC=%{+Q}[ssl_fc]\\ > > > FC_ALPN=%{+Q}[ssl_fc_alpn]\\ FC_CIPHER=%{+Q}[ssl_fc_cipher]\\ > > > CIPHERLIST=%{+Q}[ssl_fc_cipherlist_str]\\ > > > FC_HAS_CRT=%{+Q}[ssl_fc_has_crt]\\ > > > FC_HAS_EARLY_Bool=%{+Q}[ssl_fc_has_early]\\ > > > FC_HAS_SNI=%{+Q}[ssl_fc_has_sni]\\ > > > FC_IS_RESUMED_Bool=%{+Q}[ssl_fc_is_resumed]\\ FC_NPN=%{+Q}[ssl_fc_npn]\\ > > > FC_PROTOCOL=%{+Q}[ssl_fc_protocol]\\ FC_SNI=%{+Q}[ssl_fc_sni]\\ > > > C_CA_ERR=%[capture.req.hdr(2)]\\ C_CA_ERR_DEPTH=%[capture.req.hdr(3)]\\ > > > FC_CIPHER=%[capture.req.hdr(4)]" > > > https-log-format: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %ST\\ %B\\ %tsc\\ > > > %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs" > > > config-global: | > > > config-frontend: | > > > capture request header Host len 100 > > > capture request header User-Agent len 200 > > > http-request capture ssl_c_ca_err len 2 > > > http-request capture ssl_c_ca_err_depth len 2 > > > http-request capture ssl_fc_cipher len 64 > > > config-backend: | > > > http-request set-header X_SSL_CLIENT_VERIFY %[ssl_c_verify] > > > http-request set-header X_SSL_CLIENT_DN %{+Q}[ssl_c_s_dn] > > > http-request set-header X_SSL_ISSUER_DN %{+Q}[ssl_c_i_dn] > > > Ingress: > > > annotations: > > > kubernetes.io/ingress.class: haproxy > > > ingress.kubernetes.io/auth-tls-secret: > > > default/staging-client-certificate-ca > > > ingress.kubernetes.io/auth-tls-verify-client: optional > > > Any help? > > > Br, > > > Jouni
