Re: [PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement
On Mon, Jul 17, 2023 at 08:22:58AM -0500, Mariam John wrote: > This is an implementation of feature request > [#2165](https://github.com/haproxy/haproxy/issues/2165), > to get the EC curve name used during the key agreement in OpenSSL. This patch > includes the following > changes: > - new sample fetch methods `ssl_fc_curve` and `ssl_bc_curve`, to get the > curve name > - doc changes to add description for the new sample fetch methods > - a new regression test 'ssl_curve_name` to test the new sample fetch > methods. (Tested it with the > CI against my fork using github actions and it passes with all supported > SSL libraries and OpenSSL versions) > > This uses the function `SSL_get_negotiated_group` method available from the > OpenSSLv3 release. > > Thank you. > > Mariam John (1): > MEDIUM: ssl: new sample fetch method to get curve name > > doc/configuration.txt| 10 +++ > reg-tests/ssl/ssl_curve_name.vtc | 51 > src/ssl_sample.c | 46 > 3 files changed, 107 insertions(+) > create mode 100644 reg-tests/ssl/ssl_curve_name.vtc > Great, thank you! I just pushed your patch in the master branch. -- William Lallemand
[PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement
This is an implementation of feature request [#2165](https://github.com/haproxy/haproxy/issues/2165), to get the EC curve name used during the key agreement in OpenSSL. This patch includes the following changes: - new sample fetch methods `ssl_fc_curve` and `ssl_bc_curve`, to get the curve name - doc changes to add description for the new sample fetch methods - a new regression test 'ssl_curve_name` to test the new sample fetch methods. (Tested it with the CI against my fork using github actions and it passes with all supported SSL libraries and OpenSSL versions) This uses the function `SSL_get_negotiated_group` method available from the OpenSSLv3 release. Thank you. Mariam John (1): MEDIUM: ssl: new sample fetch method to get curve name doc/configuration.txt| 10 +++ reg-tests/ssl/ssl_curve_name.vtc | 51 src/ssl_sample.c | 46 3 files changed, 107 insertions(+) create mode 100644 reg-tests/ssl/ssl_curve_name.vtc -- 2.39.2 (Apple Git-143)
RE: [PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement
Indeed I did. I send the patch from the old folder. I apologize for the mistake on my part. I am sending the right one now. Thank you for your patience. Regards, Mariam. From: William Lallemand Date: Monday, July 17, 2023 at 4:28 AM To: Mariam John Cc: haproxy@formilux.org , eb...@haproxy.com Subject: [EXTERNAL] Re: [PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement On Fri, Jul 14, 2023 at 02:59:52AM -0500, Mariam John wrote: > This is an implementation of feature request > [#2165](https://github.com/haproxy/haproxy/issues/2165 ), > to get the EC curve name used during the key agreement in OpenSSL. This patch > includes the following > changes: > - new sample fetch methods `ssl_fc_curve` and `ssl_bc_curve`, to get the > curve name > - doc changes to add description for the new sample fetch methods > - updates the existing regression tests to test the new sample fetch methods > > This uses the function `SSL_get_negotiated_group` method available from the > OpenSSLv3 release. > > Thank you. > > Mariam John (1): > MEDIUM: ssl: new sample fetch method to get curve name > > doc/configuration.txt| 8 + > reg-tests/ssl/ssl_client_samples.vtc | 2 ++ > reg-tests/ssl/ssl_curves.vtc | 4 +++ > src/ssl_sample.c | 46 > 4 files changed, 60 insertions(+) > Hello Mariam, It seems like you sent us the previous patch by mistake? I pushed the patch in a separate branch to run the CI on it: https://github.com/haproxy/haproxy/actions/runs/5573879545/jobs/10181759082 Regards, -- William Lallemand
Re: [PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement
On Fri, Jul 14, 2023 at 02:59:52AM -0500, Mariam John wrote: > This is an implementation of feature request > [#2165](https://github.com/haproxy/haproxy/issues/2165), > to get the EC curve name used during the key agreement in OpenSSL. This patch > includes the following > changes: > - new sample fetch methods `ssl_fc_curve` and `ssl_bc_curve`, to get the > curve name > - doc changes to add description for the new sample fetch methods > - updates the existing regression tests to test the new sample fetch methods > > This uses the function `SSL_get_negotiated_group` method available from the > OpenSSLv3 release. > > Thank you. > > Mariam John (1): > MEDIUM: ssl: new sample fetch method to get curve name > > doc/configuration.txt| 8 + > reg-tests/ssl/ssl_client_samples.vtc | 2 ++ > reg-tests/ssl/ssl_curves.vtc | 4 +++ > src/ssl_sample.c | 46 > 4 files changed, 60 insertions(+) > Hello Mariam, It seems like you sent us the previous patch by mistake? I pushed the patch in a separate branch to run the CI on it: https://github.com/haproxy/haproxy/actions/runs/5573879545/jobs/10181759082 Regards, -- William Lallemand
[PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement
This is an implementation of feature request [#2165](https://github.com/haproxy/haproxy/issues/2165), to get the EC curve name used during the key agreement in OpenSSL. This patch includes the following changes: - new sample fetch methods `ssl_fc_curve` and `ssl_bc_curve`, to get the curve name - doc changes to add description for the new sample fetch methods - updates the existing regression tests to test the new sample fetch methods This uses the function `SSL_get_negotiated_group` method available from the OpenSSLv3 release. Thank you. Mariam John (1): MEDIUM: ssl: new sample fetch method to get curve name doc/configuration.txt| 8 + reg-tests/ssl/ssl_client_samples.vtc | 2 ++ reg-tests/ssl/ssl_curves.vtc | 4 +++ src/ssl_sample.c | 46 4 files changed, 60 insertions(+) -- 2.39.2 (Apple Git-143)
Re: [PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement
Hello Mariam,
On Tue, Jun 20, 2023 at 11:50:51AM -0500, Mariam John wrote:
> This is an implementation of feature request
> [#2165](https://github.com/haproxy/haproxy/issues/2165),
> to get the EC curve name used during the key agreement in OpenSSL. This patch
> includes the following
> changes:
> - new sample fetch methods `ssl_fc_curve` and `ssl_bc_curve`, to get the
> curve name
> - doc changes to add description for the new sample fetch methods
> - updates the existing regression tests to test the new sample fetch methods
>
> This uses the function `SSL_get_negotiated_group` method available from the
> OpenSSLv3 release.
>
Thanks for your contribution, review below.
On Tue, Jun 20, 2023 at 11:50:52AM -0500, Mariam John wrote:
> Adds a new sample fetch method to get the curve name used in the
> key agreement to enable better observability. In OpenSSLv3, the function
> `SSL_get_negotiated_group` returns the NID of the curve and from the NID,
> we get the curve name by passing the NID to OBJ_nid2sn. This was not
> available in v1.1.1. SSL_get_curve_name(), which returns the curve name
> directly was merged into OpenSSL master branch last week but will be available
> only in its next release.
> ---
> doc/configuration.txt| 8 +
> reg-tests/ssl/ssl_client_samples.vtc | 2 ++
> reg-tests/ssl/ssl_curves.vtc | 4 +++
> src/ssl_sample.c | 46
> 4 files changed, 60 insertions(+)
>
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index 8bcfc3c06..d944ac132 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -20646,6 +20646,10 @@ ssl_bc_cipher : string
>over an SSL/TLS transport layer. It can be used in a tcp-check or an
>http-check ruleset.
>
> +ssl_bc_curve : string
> + Returns the name of the curve used in the key agreement when the outgoing
> + connection was made over an SSL/TLS transport layer.
> +
> ssl_bc_client_random : binary
>Returns the client random of the back connection when the incoming
> connection
>was made over an SSL/TLS transport layer. It is useful to to decrypt
> traffic
> @@ -20944,6 +20948,10 @@ ssl_fc_cipher : string
>Returns the name of the used cipher when the incoming connection was made
>over an SSL/TLS transport layer.
>
> +ssl_fc_curve : string
> + Returns the name of the curve used in the key agreement when the incoming
> + connection was made over an SSL/TLS transport layer.
> +
As Lukas mentioned, be careful with the alphabetical order in the
configuration and the required OpenSSL version.
> ssl_fc_cipherlist_bin([]) : binary
>Returns the binary form of the client hello cipher list. The maximum
>returned value length is limited by the shared capture buffer size
> diff --git a/reg-tests/ssl/ssl_client_samples.vtc
> b/reg-tests/ssl/ssl_client_samples.vtc
> index 5a84e4b25..1f078ea98 100644
> --- a/reg-tests/ssl/ssl_client_samples.vtc
> +++ b/reg-tests/ssl/ssl_client_samples.vtc
> @@ -46,6 +46,7 @@ haproxy h1 -conf {
> http-response add-header x-ssl-s_serial %[ssl_c_serial,hex]
> http-response add-header x-ssl-key_alg %[ssl_c_key_alg]
> http-response add-header x-ssl-version %[ssl_c_version]
> +http-response add-header x-ssl-curve-name %[ssl_fc_curve]
>
> bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file
> ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file
> ${testdir}/crl-auth.pem
>
> @@ -69,6 +70,7 @@ client c1 -connect ${h1_clearlst_sock} {
> expect resp.http.x-ssl-s_serial == "02"
> expect resp.http.x-ssl-key_alg == "rsaEncryption"
> expect resp.http.x-ssl-version == "1"
> +expect resp.http.x-ssl-curve-name == "X25519"
> } -run
>
The ssl_client_samples.vtc file is dedicated to samples used in Client
Authentication, so I don't think it should be here.
> diff --git a/reg-tests/ssl/ssl_curves.vtc b/reg-tests/ssl/ssl_curves.vtc
> index 5cc70df14..3dbe47c4d 100644
> --- a/reg-tests/ssl/ssl_curves.vtc
> +++ b/reg-tests/ssl/ssl_curves.vtc
> @@ -75,6 +75,7 @@ haproxy h1 -conf {
> listen ssl1-lst
> bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem ca-file
> ${testdir}/set_cafile_rootCA.crt verify optional curves P-256:P-384
> server s1 ${s1_addr}:${s1_port}
> +http-response add-header x-ssl-fc-curve-name %[ssl_fc_curve]
>
> # The prime256v1 curve, which is used by default by a backend when no
> # 'curves' or 'ecdhe' option is specified, is not allowed on this
> listener
> @@ -98,6 +99,7 @@ haproxy h1 -conf {
>
> bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/common.pem
> ca-file ${testdir}/set_cafile_rootCA.crt verify optional ecdhe prime256v1
> server s1 ${s1_addr}:${s1_port}
> +http-response add-header x-ssl-fc-curve-name %[ssl_fc_curve]
>
> } -start
>
> @@ -105,6 +107,7 @@ client c1 -connect ${h1_clearlst_sock} {
>
[PATCH 0/1] Implement new sample fetch method to get the curve name used in key agreement
This is an implementation of feature request [#2165](https://github.com/haproxy/haproxy/issues/2165), to get the EC curve name used during the key agreement in OpenSSL. This patch includes the following changes: - new sample fetch methods `ssl_fc_curve` and `ssl_bc_curve`, to get the curve name - doc changes to add description for the new sample fetch methods - updates the existing regression tests to test the new sample fetch methods This uses the function `SSL_get_negotiated_group` method available from the OpenSSLv3 release. Thank you. Mariam John (1): MEDIUM: ssl: new sample fetch method to get curve name doc/configuration.txt| 8 + reg-tests/ssl/ssl_client_samples.vtc | 2 ++ reg-tests/ssl/ssl_curves.vtc | 4 +++ src/ssl_sample.c | 46 4 files changed, 60 insertions(+) -- 2.39.2 (Apple Git-143)
