RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Hi Arne, I ran sudo haproxy -d -f /etc/haproxy/haproxy.cfg haproxy-d.log 21 to capture the log output, I can't see anything obvious... In fact, I don't see anything wrong with these logs ... Looking at the bisected commit, I highly suspect a SNI related regression. I assume SSLexplorer doesn't support SNI, and sends the client_hello without server name indication. I don't have a lot of time to fully test SNI these days. Arne, would you be able to test SSL after that commit with a SNI capable client and more importantly with a non-SNI capable client (like Win XP + IE)? Perhaps that commit broke SSL for non-SNI capable clients? Anyway, I'm CC'ing Emmanuel, the author of that commit. Regards, Lukas
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Fri, May 31, 2013 at 9:41 AM, Lukas Tribus luky...@hotmail.com wrote: Hi Arne, I ran sudo haproxy -d -f /etc/haproxy/haproxy.cfg haproxy-d.log 21 to capture the log output, I can't see anything obvious... In fact, I don't see anything wrong with these logs ... Looking at the bisected commit, I highly suspect a SNI related regression. I assume SSLexplorer doesn't support SNI, and sends the client_hello without server name indication. I don't have a lot of time to fully test SNI these days. Arne, would you be able to test SSL after that commit with a SNI capable client and more importantly with a non-SNI capable client (like Win XP + IE)? Perhaps that commit broke SSL for non-SNI capable clients? Anyway, I'm CC'ing Emmanuel, the author of that commit. Regards, Lukas Apologies for not making this clearer, it is the SSLExplorer _Agent_ that fails. I can spin up an XP VM and test that IE 6 can connect to the SSLExplorer web interface over HAProxy 18-39 but as I'm not using SNI in the HAProxy config, I'm not sure how much use this would be; I would presume that if 18-39 broke non SNI capable clients, others might have already noticed and reported it ? Cheers Arne
RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Apologies for not making this clearer, it is the SSLExplorer _Agent_ that fails. By agent you mean the client which is on the frontend from a HAProxy perspective? I can spin up an XP VM and test that IE 6 can connect to the SSLExplorer web interface over HAProxy 18-39 but as I'm not using SNI in the HAProxy config, I'm not sure how much use this would be I would presume that if 18-39 broke non SNI capable clients, others might have already noticed and reported it ? The commit is pretty young, I don't think a lot of people already run this code. Even if you don't use SNI, the commit could break SSL. The thing we know for certain is that this commit breaks things for you, and we also know for certain that this commit touches SNI/SSL, so it does make sense to check with SNI capable/non capable clients. Regards, Lukas
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Hi, My bad… This fix should solve the issue diff -ru haproxy-ss-20130530/src/ssl_sock.c haproxy-ss-20130530-fix/src/ssl_sock.c --- haproxy-ss-20130530/src/ssl_sock.c 2013-05-29 15:54:14.0 +0200 +++ haproxy-ss-20130530-fix/src/ssl_sock.c 2013-05-31 12:00:38.542448533 +0200 @@ -197,7 +197,7 @@ if (!servername) { return (s-strict_sni ? SSL_TLSEXT_ERR_ALERT_FATAL : - SSL_TLSEXT_ERR_ALERT_WARNING); + SSL_TLSEXT_ERR_NOACK); } for (i = 0; i trash.size; i++) { Regards, Emmanuel Le 31 mai 2013 à 11:38, Lukas Tribus a écrit : Apologies for not making this clearer, it is the SSLExplorer _Agent_ that fails. By agent you mean the client which is on the frontend from a HAProxy perspective? I can spin up an XP VM and test that IE 6 can connect to the SSLExplorer web interface over HAProxy 18-39 but as I'm not using SNI in the HAProxy config, I'm not sure how much use this would be I would presume that if 18-39 broke non SNI capable clients, others might have already noticed and reported it ? The commit is pretty young, I don't think a lot of people already run this code. Even if you don't use SNI, the commit could break SSL. The thing we know for certain is that this commit breaks things for you, and we also know for certain that this commit touches SNI/SSL, so it does make sense to check with SNI capable/non capable clients. Regards, Lukas
RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Arne, Emmanuel, I can successfully reproduce the issue with an old wget build on win32. It seems to me the SSL_TLSEXT_ERR_ALERT_WARNING is upsetting certain clients. Arne, could you try the following patch on top of currend HEAD. Emmanuel, could you share your thoughts about this? Regards, Lukas diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 38e95a8..531cfa1 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -197,7 +197,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s) if (!servername) { return (s-strict_sni ? SSL_TLSEXT_ERR_ALERT_FATAL : - SSL_TLSEXT_ERR_ALERT_WARNING); + SSL_TLSEXT_ERR_NOACK); } for (i = 0; i trash.size; i++) {
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Fri, May 31, 2013 at 11:14 AM, Lukas Tribus luky...@hotmail.com wrote: Arne, Emmanuel, I can successfully reproduce the issue with an old wget build on win32. It seems to me the SSL_TLSEXT_ERR_ALERT_WARNING is upsetting certain clients. Arne, could you try the following patch on top of currend HEAD. Emmanuel, could you share your thoughts about this? Regards, Lukas diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 38e95a8..531cfa1 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -197,7 +197,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s) if (!servername) { return (s-strict_sni ? SSL_TLSEXT_ERR_ALERT_FATAL : - SSL_TLSEXT_ERR_ALERT_WARNING); + SSL_TLSEXT_ERR_NOACK); } for (i = 0; i trash.size; i++) { As there's nothing quite like displaying my incompetence in public :-) It was only yesterday that I used git bisect and checkout for the first time, I haven't got a clue on how to apply a diff, if somebody could point me in the direction of a suitable howto it would be much appreciated. Apologies for asking newbie questions. Cheers Arne
RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Hi Arne, just git pull, the fix was committed 10 minutes ago (dev18-53). Lukas
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Fri, May 31, 2013 at 1:12 PM, Lukas Tribus luky...@hotmail.com wrote: Hi Arne, just git pull, the fix was committed 10 minutes ago (dev18-53). Lukas 18-53 works :-) Many thanks Arne
RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Hi Arne! I'd be very happy to step through individual 1.5dev18 releases after 30 untill I find the one that breaks SSL Explorer, but I have a slight problem in that I haven't got a clue on how to check out each individual release from git. You can use git bisect to do this: http://webchick.net/node/99 Lukas
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Thu, May 30, 2013 at 1:28 PM, Lukas Tribus luky...@hotmail.com wrote: Hi Arne! I'd be very happy to step through individual 1.5dev18 releases after 30 untill I find the one that breaks SSL Explorer, but I have a slight problem in that I haven't got a clue on how to check out each individual release from git. You can use git bisect to do this: http://webchick.net/node/99 Lukas Hi Lukas, So to go back to 18-30, should I make clean git checkout 9f04853 make TARGET=(etc) then make install (etc) Cheers Arne
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
18-38 is fine, 18-39 it is broken. 18-39 would be the commit http://git.1wt.eu/web?p=haproxy.git;a=commit;h=7c41a1b59b005a75914121a604ede449374b8de7 I've removed the other parts of the config, but the relevant sections are of the haproxy.cfg look like local@haproxy-2:~$ cat /etc/haproxy/haproxy.cfg global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghostlocal0 info maxconn 4096 stats socket /var/run/haproxy.stat mode 600 level admin chroot /usr/share/haproxy daemon #debug #quiet defaults modehttp contimeout 5000 clitimeout 36 srvtimeout 36 frontend sslexplorerHTTP mode http bind 10.201.253.207:80 option tcpka default_backend BsslexplorerHTTP frontend sslexplorerHTTPS mode http bind 10.201.253.207:443 ssl crt /etc/haproxy/ssl.primarydomain.com.crt ciphers RC4:HIGH:!aNULL:!MD5; option tcpka default_backend BsslexplorerHTTPS backend BsslexplorerHTTP mode http option ssl-hello-chk option tcpka option persist option redispatch stick-table type ip size 1024k expire 30m stick on src server sslexplorer 10.201.253.56 weight 200 check port 443 inter 5000ms rise 3 fall 2 backend BsslexplorerHTTPS mode http option ssl-hello-chk option tcpka option persist option redispatch stick-table type ip size 1024k expire 30m stick on src server sslexplorer 10.201.253.56 ssl weight 200 check port 443 inter 5000ms rise 3 fall 2 listen stats :7000 stats enable stats uri / option httpclose stats auth haproxy:haproxy stats admin if TRUE I don't get much in the way of an error in the SSL Explorer agent beyond a popup saying The SSL-Explorer Agent failed connect and the web page displays failed to sync Cheers Arne
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Thu, May 30, 2013 at 2:53 PM, shouldbe q931 shouldbeq...@gmail.com wrote: 18-38 is fine, 18-39 it is broken. 18-39 would be the commit http://git.1wt.eu/web?p=haproxy.git;a=commit;h=7c41a1b59b005a75914121a604ede449374b8de7 working version haproxy -vv HA-Proxy version 1.5-dev18-38 2013/05/07 Copyright 2000-2013 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.12 2011-01-15 PCRE library supports JIT : no (USE_PCRE_JIT not set) Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. the build options etc on 18-39 are identical the OS is Ubuntu 12.04.2 Cheers Arne
RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Hi Arne, can you start haproxy with the debug options enabled (-d) and catch the output while a request fails? Thanks, Lukas
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Thu, May 30, 2013 at 3:11 PM, Lukas Tribus luky...@hotmail.com wrote: Hi Arne, can you start haproxy with the debug options enabled (-d) and catch the output while a request fails? Thanks, Lukas I ran sudo haproxy -d -f /etc/haproxy/haproxy.cfg haproxy-d.log 21 to capture the log output, I can't see anything obvious... I'd rather send the log to you/Willy than send it to the list Cheers Arne.