Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey guys, Happy new year! I¹ve attached a patch to fix formatting issues in the doc for my section: Thanks! -Dave On 12/15/15, 1:13 AM, "Willy Tarreau" wrote: >Hi Lukas, > >On Tue, Dec 15, 2015 at 01:44:18AM +0100, Lukas Tribus wrote: >> Hey guys, >> >> thanks everyone

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Sorry for the spam, just found another error. New patch attached. -Dave On 1/5/16, 12:56 PM, "Dave Zhu (yanbzhu)" <yanb...@cisco.com> wrote: >Hey guys, > >Happy new year! > >I¹ve attached a patch to fix formatting issues in the doc for my section: > >Tha

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

On 12/14/15, 5:27 AM, "Willy Tarreau" <w...@1wt.eu> wrote: >Hi guys, > >On Thu, Dec 10, 2015 at 09:29:57PM +0100, Janusz Dziemidowicz wrote: >> 2015-12-10 21:14 GMT+01:00 Dave Zhu (yanbzhu) <yanb...@cisco.com>: >> > Finished OCSP portion. It???s in

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

at 10:32:02PM +, Dave Zhu (yanbzhu) wrote: >> Hey Willy, >> >> On 12/8/15, 5:27 PM, "Willy Tarreau" <w...@1wt.eu> wrote: >> > >> >In my opinion, these suffixes should be used only after the real cert >> >file name. So when you load &quo

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Willy, On 12/8/15, 5:40 PM, "Willy Tarreau" wrote: >>>I do think so. We'll just have to remerge 4, 5 and 6 into their >>>respective >> >patches (2 apparently) and we're good to go. If Emeric doesn't raise >>any >> >objection (apparently you addressed his concerns) I can merge

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

etting the RSA certificate. -Bryan On Mon, Dec 7, 2015 at 1:44 PM, Willy Tarreau <w...@1wt.eu<mailto:w...@1wt.eu>> wrote: On Mon, Dec 07, 2015 at 08:48:53PM +, Dave Zhu (yanbzhu) wrote: > Hey Willy > > On 12/7/15, 3:11 PM, "Willy Tarreau" <w...@1wt.eu&l

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

connect AND negotiate and use the 256 bit ECDSA certificate and not the RSA cert. My tests always show the ECC capable client still getting the RSA certificate. -Bryan On Mon, Dec 7, 2015 at 1:44 PM, Willy Tarreau <w...@1wt.eu<mailto:w...@1wt.eu>> wrote: On Mon, Dec 07, 201

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Willy, On 12/8/15, 5:27 PM, "Willy Tarreau" wrote: > >In my opinion, these suffixes should be used only after the real cert >file name. So when you load "foobar.ecdsa", you should only consider >"foobar.ecdsa.ocsp" and so on. And from what I remember, on the CLI >we mention the

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

mailto:ni...@nimzo.info>>, "haproxy@formilux.org<mailto:haproxy@formilux.org>" <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching On Tue, Dec 8, 2015 at 11:18 AM, Dave Zhu (yanbzhu) <yanb.

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

ching On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot <bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> wrote: On Fri, Dec 4, 2015 at 6:15 AM, Dave Zhu (yanbzhu) <yanb...@cisco.com<mailto:yanb...@cisco.com>> wrote: Hey Bryan, it’s strange that it’s always loading the ECC cert. I j

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

based SSL CTX switching On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot <bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> wrote: On Fri, Dec 4, 2015 at 6:15 AM, Dave Zhu (yanbzhu) <yanb...@cisco.com<mailto:yanb...@cisco.com>> wrote: Hey Bryan, it’s strange tha

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

.com>>, "haproxy@formilux.org<mailto:haproxy@formilux.org>" <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot <bryan.tal...@ijji.com<mailto:b

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

here so people don’t have to track them down. Patches 1,2, and 3 are identical to the original. Please take a look. -Dave On 12/3/15, 2:35 PM, "Willy Tarreau" <w...@1wt.eu> wrote: >On Thu, Dec 03, 2015 at 07:24:10PM +, Dave Zhu (yanbzhu) wrote: >> HAProxy will

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

In my testing with a bind line of bind :8443 ssl crt ./var/tls/localhost.pem the ECC cert is loaded if it is in that directory no matter what the file name is. -Bryan On Thu, Dec 3, 2015 at 2:15 PM, Bryan Talbot <bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> wrote: On Thu

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Emeric, I’m in the process of cleaning up the patches, indentation and style so I’ll post up another set to the mailing list as Willy suggested. -Dave On 12/3/15, 9:56 AM, "Emeric Brun" <eb...@haproxy.com> wrote: >On 12/02/2015 08:17 PM, Dave Zhu (yanbzhu) wrote: >&g

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Willy On 12/3/15, 1:40 AM, "Willy Tarreau" wrote: >I didn't understand what you meant with this last sentence, it sounds like >there could be multiple default contexts which are more or less randomly >chosen so that confuses me. Sorry if that was confusing. I was merely trying

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Willy On 12/3/15, 1:34 PM, "Willy Tarreau" wrote: > >I'm sorry but I'm missing something. In which case could we have the >choice >between multiple SSL_CTX ? My understanding is that if the SNI is not >found >in the list, we currenlty fall back to the default cert. Now the

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

stored in memory instead of reading the file multiple times. This will be used to support a later commit to load multiple pkeys/certs into a single SSL_CTX On Thu, Dec 3, 2015 at 9:47 AM, Dave Zhu (yanbzhu) <yanb...@cisco.com<mailto:yanb...@cisco.com>> wrote: Hey Emer

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Emeric, On 12/3/15, 9:56 AM, "Emeric Brun" wrote: > >But i notice some inconsistencies. > >Patch2 (crt conf keywoard): >If the file without key extension is present, this file is loaded but >also the multi_load is called. > >However in Patch3 (crt-list) >If the file

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

. Patch 1 - http://pastebin.com/B9KXnEZN Patch 2 - http://pastebin.com/qFXq2Pbe Patch 3 - http://pastebin.com/F9Y1N2YN Please take a look. -Dave On 12/1/15, 10:09 AM, "Willy Tarreau" <w...@1wt.eu> wrote: >Hi Dave, > >On Tue, Dec 01, 2015 at 03:04:21PM +, Dave Zhu (yanbz

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Willy, On 8/25/15, 10:36 AM, Willy Tarreau w...@1wt.eu wrote: This means that the RSA/DSA/ECDSA cert names must be derived from the original cert name. I¹ve thought of a way to avoid this behavior, with the end result being very similar to what you/Emeric proposed. What if we delayed the

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Emeric, Code initially use 'ctx-default_passwd_callback_userdata' to allow us to manage a further way to manage passphrase via configuration. As far as I could tell, this field was not getting set anywhere in the code. It¹s set with SSL_CTX_set_default_passwd_cb, which I did not find in the

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Emeric, In 1.0.2, we can make use of API to load multiple certificate chains into a CTX. Prior to 1.0.2, you could not load the chains. So the checks ensure that we make use of the new APIs, and can then serve the correct certificate to users based on the user¹s cipher suite. I see,

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Willy FWIW, some users ask that we can load a cert's passphrase from a file, I was supposed to look at this but didn't have time, maybe the callback above would be what will be needed for this, though I have no idea yet. Willy If that¹s the case, then we should definitely include the

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Emeric, I think you don't notice that certificate in the wild card tree are not stored using their fullnames (we exclude the '*' and start at the first '.'). No I did not notice this, but I believe this is actually a good thing. This way, crt-list entries with a filter will always get

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

On 8/21/15, 1:07 PM, Dave Zhu (yanbzhu) yanb...@cisco.com wrote: Hey Emeric, I think you don't notice that certificate in the wild card tree are not stored using their fullnames (we exclude the '*' and start at the first '.'). No I did not notice this, but I believe this is actually a good

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey guys, I haven’t gotten any feedback for this feature. Unless there’s severe objections, I’ll go ahead and push this to up to master. Thanks, -Dave On 7/7/15, 3:21 PM, Dave Zhu (yanbzhu) yanb...@cisco.com wrote: Hey guys, Sorry for the radio silence, other projects picked up and so I

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Emeric responded here: http://marc.info/?l=haproxym=143643724320705w=2 Not sure what you mean by pushing this to master...? Lukas I¹m so sorry for that. I did not get that email. Even though I am subscribed to the list. IT must be filtering it somehow. I¹ll use the website from now on.

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Emeric responded here: http://marc.info/?l=haproxym=143643724320705w=2 Not sure what you mean by pushing this to master...? Lukas I¹ve corrected the indentation to use tabs instead of spaces. Here¹s the new diff: Is there a better method to do code reviews other than using the mailing list?

HAProxy New Config Flag: FIPS Mode

Hello all, I’ve run into a situation where OpenSSL within haproxy needs to be put into FIPS Mode (see links at bottom). The easiest way to do this is via a global config option. This is pretty trivial to add. Is there any interest in taking this feature into the main codebase? Are there any

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

On 6/25/15, 5:17 AM, Remi Gacogne rgaco...@coredump.fr wrote: Hey Remy, thanks for your feedback! However, I have some concerns about the use of SSL_set_session_secret_cb() for this feature, because it was clearly not designed for this kind of manipulation. It has been removed from BoringSSL

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey, Yes, sorry, I didn't realize it earlier but that's not true for all OpenSSL versions. Starting with OpenSSL 1.0.0, tls1_process_ticket() will decline decrypting session tickets sent by the client if the session_secret_cb is in use: if (s-tls_session_secret_cb)

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hey Willy, Lukas explained it pretty well, but I can expound on it some more. You can imagine a situation where HAProxy has 2 certificates of different key types; one ECDSA and one RSA. In the current codebase, if no SNI is used, the certificate that is used will be whichever certificate is the

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

I’ve coded up the functionality to check all of the intermediate certificates to ensure that they match the private key of the crt file. I’ve decided to toggle this functionality as a config option. Users can either choose to disable this entire feature (default), match only the private key/cert,

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

No, I do not handle that case at the moment. This is the kind of feedback I¹m looking for so thanks! I will start modifying the code to try to accommodate this. Any thoughts on the version of OpenSSL to try to code to? -Dave On 6/24/15, 11:54 AM, Lukas Tribus luky...@hotmail.com wrote: Does

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

On 6/24/15, 2:58 PM, Willy Tarreau w...@1wt.eu wrote: What I'm understanding here is that instead of using SNI only as the key to pick a cert, we want the (SNI, algo) combination. Coudln't we have two certs per SNI entry ? One in RSA form, the other one in ECDSA, and only provide what is supported

Contribution for HAProxy: Peer Cipher based SSL CTX switching

Hello all, I have a proposed enhancement that I have coded up and would like your comments. The idea behind this is that when HAProxy is used to terminate SSL, and is configured with multiple certificates/keys with different key types (RSA, ECDSA, DSA), it only serves up the first cert/key