Re: Potential Bug
Great ideas. Email marked as a todo for tomorrow. Will report back. Thanks. - Michael C. On 3 Nov 2015, at 18:32, Lukas Tribuswrote: >> I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1, >> installed via standard repositories. >> >> I don't want to go into debugging levels of detail here, but instead >> will provide a synopsis in the hopes someone knows of a bug already or >> can confirm it warrants further investigation. > > Some proposal that would help nail it down: > - can you provide a gdb backtrace (catch the coredump or start haproxy > with gdb directly) > - try (as a workaround) without chroot > - try (as a alternative trigger) with > openssl s_client -cipher LOW -connect instead of the > ssl test > > > I don't think the bug is in haproxy, I think you may hit some obscure > problem in the openssl library, similar to this here: > http://blog.tinola.com/?e=36 > > > Maybe that problem reappeared in CentOs 7.1. > > > > Regards, > > Lukas > >
RE: Potential Bug
> I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1, > installed via standard repositories. > > I don't want to go into debugging levels of detail here, but instead > will provide a synopsis in the hopes someone knows of a bug already or > can confirm it warrants further investigation. Some proposal that would help nail it down: - can you provide a gdb backtrace (catch the coredump or start haproxy with gdb directly) - try (as a workaround) without chroot - try (as a alternative trigger) with openssl s_client -cipher LOW -connect instead of the ssl test I don't think the bug is in haproxy, I think you may hit some obscure problem in the openssl library, similar to this here: http://blog.tinola.com/?e=36 Maybe that problem reappeared in CentOs 7.1. Regards, Lukas
Re: Potential Bug
I think is missing the line from the configuration was a silly thing to do on our part, without a doubt. Maybe Qualys' tests contain a test that is meant to crash the SSL implementation by design? We're at the mercy of what version is available to use via the CentOS/EPEL mirrors, but I would actually like to see 1.6.1 in place, so perhaps I will take that route soon. Compiling from source is swift and our LBs are pretty static boxes. Thanks for the feedback! - Michael C. > On 3 Nov 2015, at 17:17, Marco Cortewrote: > > Hi, Michael! > > The low Qualys rating is the problem, correct? > >> [root@(redacted) ~]# haproxy --version >> HA-Proxy version 1.5.4 2014/09/02 >> Copyright 2000-2014 Willy Tarreau > > I would use a newer version. 1.5.15 has been released. > >> In the above configuration, the key component here is >> 'ssl-default-bind-ciphers'. With this line commented out, as it is >> above, Qualys SSL Server Test >> (https://www.ssllabs.com/ssltest/index.html) brings our HAProxy instance >> to its knees when it reaches the stage of, "Testing deprecated cipher >> suites". With the line uncommented, and HAProxy restarted, the tests >> pass fine and we come away with an A rating. > > Without that line, I believe you are actually offering to the connecting > client all cyphers provided by your OpenSSL library. > I am not sure, because I always specified the list of the cyphers that the > client should see. > > I found very interesting this pages to find the mix suiting my needs. > > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ > > Hope this helps > > .marcoc >
Re: Potential Bug
Hi, Michael! The low Qualys rating is the problem, correct? [root@(redacted) ~]# haproxy --version HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy TarreauI would use a newer version. 1.5.15 has been released. In the above configuration, the key component here is 'ssl-default-bind-ciphers'. With this line commented out, as it is above, Qualys SSL Server Test (https://www.ssllabs.com/ssltest/index.html) brings our HAProxy instance to its knees when it reaches the stage of, "Testing deprecated cipher suites". With the line uncommented, and HAProxy restarted, the tests pass fine and we come away with an A rating. Without that line, I believe you are actually offering to the connecting client all cyphers provided by your OpenSSL library. I am not sure, because I always specified the list of the cyphers that the client should see. I found very interesting this pages to find the mix suiting my needs. https://mozilla.github.io/server-side-tls/ssl-config-generator/ https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ Hope this helps .marcoc