RE: How to suppress weak ciphers

[Branitsky, Norman]

Jerome,



Thanks for the clarification.

This string:

CHACHA20:AESGCM:AESCCM:!RSA
resulted in an F grade from SSL Labs due to the inclusion of TLS_DH_anon 
ciphers:

[cid:image001.jpg@01D61902.1FDF86A0]

After adding the following to the end of the string, scored an A+:

:!aNULL



Norman Branitsky

Senior Cloud Architect

P: 416-916-1752





-Original Message-
From: Jerome Magnin 
Sent: Wednesday, April 22, 2020 3:20 PM
To: Branitsky, Norman 
Cc: haproxy@formilux.org
Subject: Re: How to suppress weak ciphers



On Wed, Apr 22, 2020 at 06:20:14PM +, Branitsky, Norman wrote:

> As you can see from my pasted configuration, I was specifying exactly 4 
> ciphers.

> The 2 weak CBC ciphers were magically appearing in the SSL Labs report.

> I tried to explicitly delete them - but the delete request is ignored.

>

> It seems that this entry, for example, must actually be a family:

> ECDHE-RSA-AES256-SHA384

> which includes

> ECDHE-RSA-AES256-CBC-SHA384

> Not clear why the explicit delete command doesn't delete the CBC cipher.

>



the configuration you shared excludes ciphers that are not actually ciphers. 
I'm guessing this is why you still see what you try to disable when you test 
with ssllabs.



there is no ECDHE-RSA-AES256-CBC-SHA384 in man ciphers(1), and no 
ECDHE-RSA-AES128-CBC-SHA384.



On the other hand ECDHE-RSA-AES256-SHA384 is the openssl equivalent to

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 so you probably got things mixed up.





> Do you use the following specification and do you find sufficient support of 
> existing browsers?

> ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

> Or is this too aggressive?

>

It does not support safari from 6 to 8 on IOS and OSX, and IE11 on windows 
phone 8.1.

I can share ssllabs report privately if you want.



Jérôme

"COVID-19: Face Masks & Hand Sanitizer"

[Joe Meese]

Hello,

Trying to get in contact with the purchasing team regarding face masks and
hand sanitizer.

We can urgently supply 3PY, N95, KN95, FFP2, FFP3, Hand Sanitizers, Gloves,
Hazmat Suits at a great price.

*Please check:* http://www.ppekits.net/supply/

Let me know if you have any questions.


Thanks,

--
Joe Meese - Director of Marketing
The Dioz Group of Companies - Emergencyessentials
Office in the UK,  USA,  Australia.
HQ: 8730 Wilshire Blvd, Penthouse
Beverly Hills, CA 90211
Free Call: 855 525 2642

You may unsubscribe

to stop receiving our emails.

Response time by http method

[Seena Fallah]

Hi all.

I think there is a really missing parameter in prometheus exporter that
there is no response time metric by HTTP method. To monitor the state of
response times there is a need of this metric. Any plan to be added?
Issue: https://github.com/haproxy/haproxy/issues/580

Thanks,

OT: I love this Project ;-)

[Aleksandar Lazic]

Hi all.

I know it's a little bit off topic but because I have in another project 
reached a big milestone, with the support of the People here, I would like to 
say.

HAProxy People and Community and Program is really great ;-) ;-) ;-) ;-).

Very best wishes

Aleks

Re: How to suppress weak ciphers

[Jerome Magnin]

On Wed, Apr 22, 2020 at 06:20:14PM +, Branitsky, Norman wrote:
> As you can see from my pasted configuration, I was specifying exactly 4 
> ciphers.
> The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
> I tried to explicitly delete them - but the delete request is ignored.
> 
> It seems that this entry, for example, must actually be a family:
> ECDHE-RSA-AES256-SHA384
> which includes
> ECDHE-RSA-AES256-CBC-SHA384
> Not clear why the explicit delete command doesn't delete the CBC cipher.
> 

the configuration you shared excludes ciphers that are not actually ciphers. I'm
guessing this is why you still see what you try to disable when you test with
ssllabs.

there is no ECDHE-RSA-AES256-CBC-SHA384 in man ciphers(1), and no
ECDHE-RSA-AES128-CBC-SHA384.

On the other hand ECDHE-RSA-AES256-SHA384 is the openssl equivalent to 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 so you probably got things mixed up.


> Do you use the following specification and do you find sufficient support of 
> existing browsers?
> ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA
> Or is this too aggressive?
>
It does not support safari from 6 to 8 on IOS and OSX, and IE11 on windows 
phone 8.1.
I can share ssllabs report privately if you want.

Jérôme

RE: How to suppress weak ciphers

[Zakharychev, Bob]

FWIW, here's what we use in production with HAProxy 2.1.4 statically linked 
with OpenSSL 1.1.1f, gives us an A rating with 90 score for cipher strength 
from SSLLabs test:

# recommended modern ciphersuites. Qualys SSLLab reports some of them
# as weak due to use of inferior CBC mode, but disabling them breaks
# compatibility with quite a few browsers still in the wild.
ssl-default-bind-ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# TLSv1.3 ciphersuites: for now, the same as OpenSSL default
ssl-default-bind-ciphersuites 
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# Disable TLSv1.1 and down and TLS tickets
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

Here's what they report for TLS 1.2:

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  ECDH x25519 
(eq. 3072 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH x25519 (eq. 3072 
bits RSA)   FS256(P)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH x25519 
(eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH x25519 
(eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH x25519 
(eq. 3072 bits RSA)   FS   WEAK 128
(P) This server prefers ChaCha20 suites with clients that don't have AES-NI 
(e.g., Android devices) 

Disabling the two weak ciphers knocks off too many browsers still in wide use, 
so we ruled against it.

Bob

-Original Message-
From: Branitsky, Norman  
Sent: Wednesday, April 22, 2020 2:20 PM
To: Jerome Magnin 
Cc: haproxy@formilux.org
Subject: RE: How to suppress weak ciphers

[Warning] This email comes from an external source. Be careful of any embedded 
links and attachments.

As you can see from my pasted configuration, I was specifying exactly 4 ciphers.
The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
I tried to explicitly delete them - but the delete request is ignored.

It seems that this entry, for example, must actually be a family:
ECDHE-RSA-AES256-SHA384
which includes
ECDHE-RSA-AES256-CBC-SHA384
Not clear why the explicit delete command doesn't delete the CBC cipher.

Do you use the following specification and do you find sufficient support of 
existing browsers?
ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA Or is this too aggressive?

Norman Branitsky
Senior Cloud Architect
P: 416-916-1752


-Original Message-
From: Jerome Magnin 
Sent: Wednesday, April 22, 2020 11:50 AM
To: Branitsky, Norman 
Cc: haproxy@formilux.org
Subject: Re: How to suppress weak ciphers

Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 SSL Labs reports the CBC 
> ciphers are "weak":
>
> [cid:image002.jpg@01D6117D.1C8AC910]
>
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to 
> no avail:
>
>
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
>
> ssl-default-bind-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
>
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
>
> ssl-default-server-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
>
> How do I delete the "weak" ciphers?
>


If you list all the ciphers you want to support, it does not make sense to 
negate those you don't want. just don't list them.
You would use ! to exclude specific ciphers or ciphers "families", ie:

 ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

you can find additional information on this in the manpage for ciphers(1).

regards,
Jérôme

RE: How to suppress weak ciphers

[Branitsky, Norman]

As you can see from my pasted configuration, I was specifying exactly 4 ciphers.
The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
I tried to explicitly delete them - but the delete request is ignored.

It seems that this entry, for example, must actually be a family:
ECDHE-RSA-AES256-SHA384
which includes
ECDHE-RSA-AES256-CBC-SHA384
Not clear why the explicit delete command doesn't delete the CBC cipher.

Do you use the following specification and do you find sufficient support of 
existing browsers?
ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA
Or is this too aggressive?

Norman Branitsky
Senior Cloud Architect
P: 416-916-1752


-Original Message-
From: Jerome Magnin  
Sent: Wednesday, April 22, 2020 11:50 AM
To: Branitsky, Norman 
Cc: haproxy@formilux.org
Subject: Re: How to suppress weak ciphers

Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 SSL Labs reports the CBC 
> ciphers are "weak":
> 
> [cid:image002.jpg@01D6117D.1C8AC910]
> 
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to 
> no avail:
> 
> 
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
> 
> ssl-default-bind-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
> 
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
> 
> ssl-default-server-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
> 
> How do I delete the "weak" ciphers?
> 


If you list all the ciphers you want to support, it does not make sense to 
negate those you don't want. just don't list them. 
You would use ! to exclude specific ciphers or ciphers "families", ie:

 ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

you can find additional information on this in the manpage for ciphers(1).

regards,
Jérôme

Re: [PATCH] MINOR: crypto: Add digest and hmac converters

[Tim Düsterhus]

Patrick,

Am 22.04.20 um 18:23 schrieb Patrick Gansterer:
> thx for the quick review. I attached a new patchset.
> 

I don't find anything to complain about now. I'll now leave it up to the
authority to either apply or complain.

For MINOR: crypto: Add digest and hmac converters

Reviewed-by: Tim Duesterhus 

Best regards
Tim Düsterhus

Re: [PATCH] MINOR: crypto: Add digest and hmac converters

[Patrick Gansterer]

Tim,

thx for the quick review. I attached a new patchset.

On Mittwoch, 22. April 2020 18:01:01 CEST Tim Düsterhus wrote:
> Small nit: It should read 'e.g.' (with a dot at the end).

Argh. Can't believe how many typos I made in this lines. ^^

> I believe you support a variable key now. You should add this to the doc
> (and the reg-test) then.

Done.

- Patrick>From 8f6ce045c80e0f67a485233ee602b57b4c311bde Mon Sep 17 00:00:00 2001
From: Patrick Gansterer 
Date: Sun, 17 Jun 2018 11:21:11 +0200
Subject: [PATCH 1/2] MINOR: crypto: Move aes_gcm_dec implementation into new
 file

---
 Makefile   |   2 +-
 src/crypto.c   | 163 +
 src/ssl_sock.c | 142 --
 3 files changed, 164 insertions(+), 143 deletions(-)
 create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 1e4213989..2dea46368 100644
--- a/Makefile
+++ b/Makefile
@@ -542,7 +542,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
 ifneq ($(USE_DL),)
 OPTIONS_LDFLAGS += -ldl
 endif
-OPTIONS_OBJS  += src/ssl_sock.o
+OPTIONS_OBJS  += src/crypto.o src/ssl_sock.o
 endif
 
 # The private cache option affect the way the shctx is built
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 0..74b92eee5
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,163 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2020 Nenad Merdanovic 
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#include 
+
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000100fL)
+static inline int sample_conv_var2smp_str(const struct arg *arg, struct sample *smp)
+{
+	switch (arg->type) {
+	case ARGT_STR:
+		smp->data.type = SMP_T_STR;
+		smp->data.u.str = arg->data.str;
+		return 1;
+	case ARGT_VAR:
+		if (!vars_get_by_desc(&arg->data.var, smp))
+return 0;
+		if (!sample_casts[smp->data.type][SMP_T_STR])
+return 0;
+		if (!sample_casts[smp->data.type][SMP_T_STR](smp))
+return 0;
+		return 1;
+	default:
+		return 0;
+	}
+}
+
+static int check_aes_gcm(struct arg *args, struct sample_conv *conv,
+		  const char *file, int line, char **err)
+{
+	switch(args[0].data.sint) {
+	case 128:
+	case 192:
+	case 256:
+		break;
+	default:
+		memprintf(err, "key size must be 128, 192 or 256 (bits).");
+		return 0;
+	}
+	/* Try to decode a variable. */
+	vars_check_arg(&args[1], NULL);
+	vars_check_arg(&args[2], NULL);
+	vars_check_arg(&args[3], NULL);
+	return 1;
+}
+
+/* Arguments: AES size in bits, nonce, key, tag. The last three arguments are base64 encoded */
+static int sample_conv_aes_gcm_dec(const struct arg *arg_p, struct sample *smp, void *private)
+{
+	struct sample nonce, key, aead_tag;
+	struct buffer *smp_trash, *smp_trash_alloc;
+	EVP_CIPHER_CTX *ctx;
+	int dec_size, ret;
+
+	smp_set_owner(&nonce, smp->px, smp->sess, smp->strm, smp->opt);
+	if (!sample_conv_var2smp_str(&arg_p[1], &nonce))
+		return 0;
+
+	smp_set_owner(&key, smp->px, smp->sess, smp->strm, smp->opt);
+	if (!sample_conv_var2smp_str(&arg_p[2], &key))
+		return 0;
+
+	smp_set_owner(&aead_tag, smp->px, smp->sess, smp->strm, smp->opt);
+	if (!sample_conv_var2smp_str(&arg_p[3], &aead_tag))
+		return 0;
+
+	smp_trash = get_trash_chunk();
+	smp_trash_alloc = alloc_trash_chunk();
+	if (!smp_trash_alloc)
+		return 0;
+
+	ctx = EVP_CIPHER_CTX_new();
+
+	if (!ctx)
+		goto err;
+
+	dec_size = base64dec(nonce.data.u.str.area, nonce.data.u.str.data, smp_trash->area, smp_trash->size);
+	if (dec_size < 0)
+		goto err;
+	smp_trash->data = dec_size;
+
+	/* Set cipher type and mode */
+	switch(arg_p[0].data.sint) {
+	case 128:
+		EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL);
+		break;
+	case 192:
+		EVP_DecryptInit_ex(ctx, EVP_aes_192_gcm(), NULL, NULL, NULL);
+		break;
+	case 256:
+		EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL);
+		break;
+	}
+
+	EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, smp_trash->data, NULL);
+
+	/* Initialise IV */
+	if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, (unsigned char *) smp_trash->area))
+		goto err;
+
+	dec_size = base64dec(key.data.u.str.area, key.data.u.str.data, smp_trash->area, smp_trash->size);
+	if (dec_size < 0)
+		goto err;
+	smp_trash->data = dec_size;
+
+	/* Initialise key */
+	if (!EVP_DecryptInit_ex(ctx, NULL, NULL, (unsigned char *) smp_trash->area, NULL))
+		goto err;
+
+	if (!EVP_DecryptUpdate(ctx, (unsigned char *) smp_trash->area, (int *) &smp_trash->data,
+		  (unsigned char *) smp->data.u.str.area, (int) smp->data.u.str.data))
+		goto err;
+
+	dec_size = base64dec(aead_tag.data.u.str.area, aead_tag.data.u.str.data, smp_trash_alloc->area, smp_trash_alloc->size);
+	if (dec_size < 0)
+		goto err;
+	smp_trash_alloc->data = dec_size;
+	d

Re: [PATCH] MINOR: crypto: Add digest and hmac converters

[Tim Düsterhus]

Patrick,

Am 22.04.20 um 17:41 schrieb Patrick Gansterer:
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index 2e548b66c..6b5f5ecf9 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -13918,6 +13918,13 @@ debug([])
>Example:
>  tcp-request connection track-sc0 src,debug(track-sc)
>  
> +digest()
> +  Converts a binary input sample to a message digest. The result is a binary
> +  sample. The algorithm must be an OpenSSL message digest name (e.g sha256).

Small nit: It should read 'e.g.' (with a dot at the end).

> @@ -13972,6 +13979,15 @@ hex2i
>Converts a hex string containing two hex digits per input byte to an
>integer. If the input value cannot be converted, then zero is returned.
>  
> +hmac(, )
> +  Converts a binary input sample to a message authentication code with the 
> given
> +  key. The result is a binary sample. The algorithm must be one of the 
> registered
> +  OpenSSL message digest names (e.g sha256). The key parameter must be base64
> +  encoded.

I believe you support a variable key now. You should add this to the doc
(and the reg-test) then.

> +  Please note that this converter is only available when haproxy has been
> +  compiled with USE_OPENSSL.
> +
>  http_date([])
>Converts an integer supposed to contain a date since epoch to a string
>representing this date in a format suitable for use in HTTP header fields. 
> If

Best regards
Tim Düsterhus

Re: How to suppress weak ciphers

[Илья Шипицин]

you can start with https://ssl-config.mozilla.org/
however, high security also means lower compatibility, i.e. old browsers
fail on high security (ssl labs provide handshake table for that)

ср, 22 апр. 2020 г. в 20:32, Branitsky, Norman <
norman.branit...@tylertech.com>:

> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
> SSL Labs reports the CBC ciphers are “weak”:
>
>
>
> [image: cid:image002.jpg@01D6117D.1C8AC910]
>
>
>
> I’ve tried to explicitly negate these ciphers with an “!” in haproxy.cfg
> to no avail:
>
>
>
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>
> ssl-default-bind-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
>
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>
> ssl-default-server-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
>
>
>
> How do I delete the “weak” ciphers?
>
>
> *Norman Branitsky*
> Senior Cloud Architect
> Tyler Technologies, Inc.
>
> P: 416-916-1752
> C: 416.843.0670
> www.tylertech.com
>
>
>
> [image: Tyler Technologies] 
>

Re: How to suppress weak ciphers

[Jerome Magnin]

Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
> SSL Labs reports the CBC ciphers are "weak":
> 
> [cid:image002.jpg@01D6117D.1C8AC910]
> 
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to 
> no avail:
> 
> 
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
> 
> ssl-default-bind-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
> 
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
> 
> ssl-default-server-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
> 
> How do I delete the "weak" ciphers?
> 


If you list all the ciphers you want to support, it does not make sense to
negate those you don't want. just don't list them. 
You would use ! to exclude specific ciphers or ciphers "families", ie:

 ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

you can find additional information on this in the manpage for ciphers(1).

regards,
Jérôme

Re: [PATCH] MINOR: crypto: Add digest and hmac converters

[Patrick Gansterer]

Tim,

sorry for the troubles. My mail program added automatic line breaks. :-(

I attached the two files now.

- Patrick
>From 8f6ce045c80e0f67a485233ee602b57b4c311bde Mon Sep 17 00:00:00 2001
From: Patrick Gansterer 
Date: Sun, 17 Jun 2018 11:21:11 +0200
Subject: [PATCH 1/2] MINOR: crypto: Move aes_gcm_dec implementation into new
 file

---
 Makefile   |   2 +-
 src/crypto.c   | 163 +
 src/ssl_sock.c | 142 --
 3 files changed, 164 insertions(+), 143 deletions(-)
 create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 1e4213989..2dea46368 100644
--- a/Makefile
+++ b/Makefile
@@ -542,7 +542,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
 ifneq ($(USE_DL),)
 OPTIONS_LDFLAGS += -ldl
 endif
-OPTIONS_OBJS  += src/ssl_sock.o
+OPTIONS_OBJS  += src/crypto.o src/ssl_sock.o
 endif
 
 # The private cache option affect the way the shctx is built
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 0..74b92eee5
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,163 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2020 Nenad Merdanovic 
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#include 
+
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000100fL)
+static inline int sample_conv_var2smp_str(const struct arg *arg, struct sample *smp)
+{
+	switch (arg->type) {
+	case ARGT_STR:
+		smp->data.type = SMP_T_STR;
+		smp->data.u.str = arg->data.str;
+		return 1;
+	case ARGT_VAR:
+		if (!vars_get_by_desc(&arg->data.var, smp))
+return 0;
+		if (!sample_casts[smp->data.type][SMP_T_STR])
+return 0;
+		if (!sample_casts[smp->data.type][SMP_T_STR](smp))
+return 0;
+		return 1;
+	default:
+		return 0;
+	}
+}
+
+static int check_aes_gcm(struct arg *args, struct sample_conv *conv,
+		  const char *file, int line, char **err)
+{
+	switch(args[0].data.sint) {
+	case 128:
+	case 192:
+	case 256:
+		break;
+	default:
+		memprintf(err, "key size must be 128, 192 or 256 (bits).");
+		return 0;
+	}
+	/* Try to decode a variable. */
+	vars_check_arg(&args[1], NULL);
+	vars_check_arg(&args[2], NULL);
+	vars_check_arg(&args[3], NULL);
+	return 1;
+}
+
+/* Arguments: AES size in bits, nonce, key, tag. The last three arguments are base64 encoded */
+static int sample_conv_aes_gcm_dec(const struct arg *arg_p, struct sample *smp, void *private)
+{
+	struct sample nonce, key, aead_tag;
+	struct buffer *smp_trash, *smp_trash_alloc;
+	EVP_CIPHER_CTX *ctx;
+	int dec_size, ret;
+
+	smp_set_owner(&nonce, smp->px, smp->sess, smp->strm, smp->opt);
+	if (!sample_conv_var2smp_str(&arg_p[1], &nonce))
+		return 0;
+
+	smp_set_owner(&key, smp->px, smp->sess, smp->strm, smp->opt);
+	if (!sample_conv_var2smp_str(&arg_p[2], &key))
+		return 0;
+
+	smp_set_owner(&aead_tag, smp->px, smp->sess, smp->strm, smp->opt);
+	if (!sample_conv_var2smp_str(&arg_p[3], &aead_tag))
+		return 0;
+
+	smp_trash = get_trash_chunk();
+	smp_trash_alloc = alloc_trash_chunk();
+	if (!smp_trash_alloc)
+		return 0;
+
+	ctx = EVP_CIPHER_CTX_new();
+
+	if (!ctx)
+		goto err;
+
+	dec_size = base64dec(nonce.data.u.str.area, nonce.data.u.str.data, smp_trash->area, smp_trash->size);
+	if (dec_size < 0)
+		goto err;
+	smp_trash->data = dec_size;
+
+	/* Set cipher type and mode */
+	switch(arg_p[0].data.sint) {
+	case 128:
+		EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL);
+		break;
+	case 192:
+		EVP_DecryptInit_ex(ctx, EVP_aes_192_gcm(), NULL, NULL, NULL);
+		break;
+	case 256:
+		EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL);
+		break;
+	}
+
+	EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, smp_trash->data, NULL);
+
+	/* Initialise IV */
+	if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, (unsigned char *) smp_trash->area))
+		goto err;
+
+	dec_size = base64dec(key.data.u.str.area, key.data.u.str.data, smp_trash->area, smp_trash->size);
+	if (dec_size < 0)
+		goto err;
+	smp_trash->data = dec_size;
+
+	/* Initialise key */
+	if (!EVP_DecryptInit_ex(ctx, NULL, NULL, (unsigned char *) smp_trash->area, NULL))
+		goto err;
+
+	if (!EVP_DecryptUpdate(ctx, (unsigned char *) smp_trash->area, (int *) &smp_trash->data,
+		  (unsigned char *) smp->data.u.str.area, (int) smp->data.u.str.data))
+		goto err;
+
+	dec_size = base64dec(aead_tag.data.u.str.area, aead_tag.data.u.str.data, smp_trash_alloc->area, smp_trash_alloc->size);
+	if (dec_size < 0)
+		goto err;
+	smp_trash_alloc->data = dec_size;
+	dec_size = smp_trash->data;
+
+	EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, smp_trash_alloc->data, (void *) smp_trash_alloc->area);
+	ret = EVP_DecryptFinal_ex(ctx, (unsigned char *) smp_trash->area + smp_trash->data, (int *) &smp_trash->da

Re: [PATCH] MINOR: crypto: Add digest and hmac converters

[Tim Düsterhus]

Patrick,

Am 22.04.20 um 17:30 schrieb Patrick Gansterer:
> Tim,
> 
> thanks for the review. I just rebased my old patch today and didn't check 
> what 
> changed in the meantime in the codebase. I created a separate patch to move 
> aes_gcm_dec out of ssl_sock.c since it seams to fit better to my new file.
> 

Not sure what you did there, but the patches are not usable like this,
because they are merged into a large block of text. Either of the
following should work. The first is probably easier for a one time
patche :-)

1. Attach the patches as regular attachments each (= One email with two
attachments).
2. Use the following:

git format-patch -M master --cc=t...@bastelstu.be
--to=haproxy@formilux.org -o outgoing
git send-email outgoing/*.patch
--in-reply-to=6e582bdb-05c4-be8c-5879-8c4aedca1...@bastelstu.be

This will result in two emails with one inline patch each.

Best regards
Tim Düsterhus

Re: [PATCH] MINOR: crypto: Add digest and hmac converters

[Patrick Gansterer]

Tim,

thanks for the review. I just rebased my old patch today and didn't check what 
changed in the meantime in the codebase. I created a separate patch to move 
aes_gcm_dec out of ssl_sock.c since it seams to fit better to my new file.

- Patrick

>From 8f6ce045c80e0f67a485233ee602b57b4c311bde Mon Sep 17 00:00:00 2001
From: Patrick Gansterer 
Date: Sun, 17 Jun 2018 11:21:11 +0200
Subject: [PATCH 1/2] MINOR: crypto: Move aes_gcm_dec implementation into new
 file

---
 Makefile   |   2 +-
 src/crypto.c   | 163 +
 src/ssl_sock.c | 142 --
 3 files changed, 164 insertions(+), 143 deletions(-)
 create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 1e4213989..2dea46368 100644
--- a/Makefile
+++ b/Makefile
@@ -542,7 +542,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -
lcrypto
 ifneq ($(USE_DL),)
 OPTIONS_LDFLAGS += -ldl
 endif
-OPTIONS_OBJS  += src/ssl_sock.o
+OPTIONS_OBJS  += src/crypto.o src/ssl_sock.o
 endif
 
 # The private cache option affect the way the shctx is built
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 0..74b92eee5
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,163 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2020 Nenad Merdanovic 
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#include 
+
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000100fL)
+static inline int sample_conv_var2smp_str(const struct arg *arg, struct 
sample *smp)
+{
+   switch (arg->type) {
+   case ARGT_STR:
+   smp->data.type = SMP_T_STR;
+   smp->data.u.str = arg->data.str;
+   return 1;
+   case ARGT_VAR:
+   if (!vars_get_by_desc(&arg->data.var, smp))
+   return 0;
+   if (!sample_casts[smp->data.type][SMP_T_STR])
+   return 0;
+   if (!sample_casts[smp->data.type][SMP_T_STR](smp))
+   return 0;
+   return 1;
+   default:
+   return 0;
+   }
+}
+
+static int check_aes_gcm(struct arg *args, struct sample_conv *conv,
+ const char 
*file, int line, char **err)
+{
+   switch(args[0].data.sint) {
+   case 128:
+   case 192:
+   case 256:
+   break;
+   default:
+   memprintf(err, "key size must be 128, 192 or 256 
(bits).");
+   return 0;
+   }
+   /* Try to decode a variable. */
+   vars_check_arg(&args[1], NULL);
+   vars_check_arg(&args[2], NULL);
+   vars_check_arg(&args[3], NULL);
+   return 1;
+}
+
+/* Arguments: AES size in bits, nonce, key, tag. The last three arguments are 
base64 encoded */
+static int sample_conv_aes_gcm_dec(const struct arg *arg_p, struct sample 
*smp, void *private)
+{
+   struct sample nonce, key, aead_tag;
+   struct buffer *smp_trash, *smp_trash_alloc;
+   EVP_CIPHER_CTX *ctx;
+   int dec_size, ret;
+
+   smp_set_owner(&nonce, smp->px, smp->sess, smp->strm, smp->opt);
+   if (!sample_conv_var2smp_str(&arg_p[1], &nonce))
+   return 0;
+
+   smp_set_owner(&key, smp->px, smp->sess, smp->strm, smp->opt);
+   if (!sample_conv_var2smp_str(&arg_p[2], &key))
+   return 0;
+
+   smp_set_owner(&aead_tag, smp->px, smp->sess, smp->strm, smp->opt);
+   if (!sample_conv_var2smp_str(&arg_p[3], &aead_tag))
+   return 0;
+
+   smp_trash = get_trash_chunk();
+   smp_trash_alloc = alloc_trash_chunk();
+   if (!smp_trash_alloc)
+   return 0;
+
+   ctx = EVP_CIPHER_CTX_new();
+
+   if (!ctx)
+   goto err;
+
+   dec_size = base64dec(nonce.data.u.str.area, nonce.data.u.str.data, 
smp_trash->area, smp_trash->size);
+   if (dec_size < 0)
+   goto err;
+   smp_trash->data = dec_size;
+
+   /* Set cipher type and mode */
+   switch(arg_p[0].data.sint) {
+   case 128:
+   EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, 
NULL);
+   break;
+   case 192:
+   EVP_DecryptInit_ex(ctx, EVP_aes_192_gcm(), NULL, NULL, 
NULL);
+   break;
+   case 256:
+   EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, 
NULL);
+   break;
+   }
+
+   EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, smp_trash->data, 
NULL);
+
+   /* Initialise IV */
+   if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, (unsigned char *) 
smp_trash->area))
+   goto err;
+
+   dec_size = base64dec(key.data.u.str.area, key.data.u.str.data, 
smp_

How to suppress weak ciphers

[Branitsky, Norman]

HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
SSL Labs reports the CBC ciphers are "weak":

[cid:image002.jpg@01D6117D.1C8AC910]

I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to no 
avail:


ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

ssl-default-bind-ciphers 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384

ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

ssl-default-server-ciphers 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384

How do I delete the "weak" ciphers?

Norman Branitsky
Senior Cloud Architect
Tyler Technologies, Inc.

P: 416-916-1752
C: 416.843.0670
www.tylertech.com

[Tyler Technologies]

Re: [ANNOUNCE] haproxy-2.1.4

[Tim Düsterhus]

Willy,

Am 21.04.20 um 16:58 schrieb Willy Tarreau:
>> I would also be interested in how Felix Wilhelm performed the fuzzing,
>> do you happen to have details about that?
> 
> No, I only got the information that was just made public. But do not
> hesitate to contact Felix about this, I'm sure he will happily share some
> extra information to help us improve our side.
> 

I did and received a reply:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2023#c6

Felix Wilhelm used contrib/hpack/decode.c as the basis for the fuzz
driver, like I did for my first CVE. The difference to my understanding
is that his version is more efficient, because it's not fork+exec()ing
new processes all the time and instead just uses function calls.

Best regards
Tim Düsterhus

Re: [PATCH] ssl defaults enhancements

[William Lallemand]

On Wed, Apr 22, 2020 at 12:06:11PM +0200, Jerome Magnin wrote:
> From d86993cbd4476e1901eafdc7fbe88d31ca6f8e90 Mon Sep 17 00:00:00 2001
> From: Jerome Magnin 
> Date: Wed, 22 Apr 2020 11:40:18 +0200
> Subject: [PATCH] BUG/MINOR: ssl: default settings for ssl server options are
>  not used
> 

> From aafd1cc7fd97de2d0e395197cd2a80a3d885e60d Mon Sep 17 00:00:00 2001
> From: Jerome Magnin 
> Date: Fri, 3 Apr 2020 15:28:22 +0200
> Subject: [PATCH] MINOR: config: add a global directive to set default SSL
>  curves
> 

Thanks, both applied!

-- 
William Lallemand

Re: [PATCH] ssl defaults enhancements

[Jerome Magnin]

On Wed, Apr 22, 2020 at 12:06:15PM +0200, Jerome Magnin wrote:
> Hi,
> [...] 
> The other patch adds a new keyword in global section to set default bind 
> curves.
> 
I updated the second patch to remove the ability to set the default curves at
build time because I did it wrong and I'm not sure it's actually useful. 

Jérôme
>From aafd1cc7fd97de2d0e395197cd2a80a3d885e60d Mon Sep 17 00:00:00 2001
From: Jerome Magnin 
Date: Fri, 3 Apr 2020 15:28:22 +0200
Subject: [PATCH] MINOR: config: add a global directive to set default SSL
 curves

This commit adds a new keyword to the global section to set default
curves for ssl binds:
  - ssl-default-bind-curves
---
 doc/configuration.txt |  8 
 src/ssl_sock.c| 35 +++
 2 files changed, 43 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2e548b66c..9b0b1d4f7 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -622,6 +622,7 @@ The following keywords are supported in the "global" 
section :
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
+   - ssl-default-bind-curves
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
@@ -1270,6 +1271,13 @@ ssl-default-bind-ciphersuites 
   "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
   information.
 
+ssl-default-bind-curves 
+  This setting is only available when support for OpenSSL was built in. It sets
+  the default string describing the list of elliptic curves algorithms ("curve
+  suite") that are negotiated during the SSL/TLS handshake with ECDHE. The 
format
+  of the string is a colon-delimited list of curve name.
+  Please check the "bind" keyword for more information.
+
 ssl-default-bind-options []...
   This setting is only available when support for OpenSSL was built in. It sets
   default ssl-options to force on all "bind" lines. Please check the "bind"
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9077e9114..0f9b7f62c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -175,6 +175,9 @@ static struct {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
char *listen_default_ciphersuites;
char *connect_default_ciphersuites;
+#endif
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || 
defined(LIBRESSL_VERSION_NUMBER))
+   char *listen_default_curves;
 #endif
int listen_default_ssloptions;
int connect_default_ssloptions;
@@ -9516,6 +9519,10 @@ static int bind_parse_ssl(char **args, int cur_arg, 
struct proxy *px, struct bin
 
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
conf->ssl_conf.ciphers = 
strdup(global_ssl.listen_default_ciphers);
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || 
defined(LIBRESSL_VERSION_NUMBER))
+   if (global_ssl.listen_default_curves && !conf->ssl_conf.curves)
+   conf->ssl_conf.curves = 
strdup(global_ssl.listen_default_curves);
+#endif
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
if (global_ssl.listen_default_ciphersuites && 
!conf->ssl_conf.ciphersuites)
conf->ssl_conf.ciphersuites = 
strdup(global_ssl.listen_default_ciphersuites);
@@ -10493,6 +10500,31 @@ static int ssl_parse_global_ciphersuites(char **args, 
int section_type, struct p
 }
 #endif
 
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || 
defined(LIBRESSL_VERSION_NUMBER))
+/*
+ * parse the "ssl-default-bind-curves" keyword in a global section.
+ * Returns <0 on alert, >0 on warning, 0 on success.
+ */
+static int ssl_parse_global_curves(char **args, int section_type, struct proxy 
*curpx,
+   struct proxy *defpx, const char *file, int 
line,
+  char **err)
+{
+   char **target;
+   target = &global_ssl.listen_default_curves;
+
+   if (too_many_args(1, args, err, NULL))
+   return -1;
+
+   if (*(args[1]) == 0) {
+   memprintf(err, "global statement '%s' expects a curves suite as 
an arguments.", args[0]);
+   return -1;
+   }
+
+   free(*target);
+   *target = strdup(args[1]);
+   return 0;
+}
+#endif
 /* parse various global tune.ssl settings consisting in positive integers.
  * Returns <0 on alert, >0 on warning, 0 on success.
  */
@@ -13008,6 +13040,9 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", 
ssl_parse_global_capture_cipherlist },
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || 
defined(LIBRESSL_VERSION_NUMBER))
+   { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves },
+#endif
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", 
ssl_parse_global_ciphersuites },
{ CFG_GLOBAL, "

Re: [PATCH] MINOR: ssl: add ssl-skip-self-issued-ca global option

[William Lallemand]

On Wed, Apr 22, 2020 at 11:48:29AM +0200, Emmanuel Hocdet wrote:
> 
> and voila:
> 

> From fc1ae0229809d3eca7f7553ac210056c6537c4e4 Mon Sep 17 00:00:00 2001
> From: Emmanuel Hocdet 
> Date: Wed, 22 Apr 2020 11:06:19 +0200
> Subject: [PATCH] MINOR: ssl: add ssl-skip-self-issued-ca global option
> 
> This option activate the feature introduce in commit 16739778:
> "MINOR: ssl: skip self issued CA in cert chain for ssl_ctx".
> The patch disable the feature per default.

Thanks, merged!

-- 
William Lallemand

Re: [PATCH 0/2] *** Add TT timer ***

[Willy Tarreau]

Hi Damien,

On Thu, Apr 16, 2020 at 04:03:19PM +, Damien Claisse wrote:
> What I'm actually interested in is assessing real-world total time taken to
> serve a client request (as seen from the client such as reported by cURL or
> in a browser network performance tab, except for DNS lookup time) and making
> statistics based on that. It doesn't really matter if Th is null after first
> request as timing is still accurate because client didn't have to open a new
> connection.
> I initially thought about simply summing Ta and Th in configuration file, but
> it took me a long time realizing this would be a good approach to end-to-end
> time measurement.
> As I thought some people might be interested in it too, I'm suggesting this
> new timer. If there is too little interest, maybe a simple doc update could
> be sufficient?

I understand you use case, and it does make sense. The measurement you make
is not exact as it assumes that the delay in each direction is the same,
which is not necessarily true. But that's the most accurate you can get and
it will already be good for most use cases I think.

Indeed something we're really missing is to have equivalent sample-fetch
functions for all %xx log-format tags. That would make it so much easier
to simply add Ta and Th for example. But I do see some value in yours
being used as-is without requiring complex operations in the configurations.

Since you're measuring the user-experienced time, why not call it "Tu"
and thus not touch the existing ones ? I know, finding names is always
the most difficult part when creating something. It often comes easier
after you explain what you want to do :-)

Cheers,
Willy

Re: [PATCH] MINOR: crypto: Add digest and hmac converters

[Tim Düsterhus]

Patrick,

Am 22.04.20 um 12:40 schrieb Patrick Gansterer:
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index 2e548b66c..17b2debe5 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -13918,6 +13918,10 @@ debug([])
>Example:
>  tcp-request connection track-sc0 src,debug(track-sc)
>  
> +digest()
> +  Converts a binary input sample to a message digest. The result is a binary
> +  sample. The algorithm must be an OpenSSL message digest name (e.g sha256).

Add a note that the converter is only available with USE_OPENSSL similar
to the sha2() converted.

> @@ -13972,6 +13976,11 @@ hex2i
>Converts a hex string containing two hex digits per input byte to an
>integer. If the input value cannot be converted, then zero is returned.
>  
> +hmac(, )
> +  Converts a binary input sample to a message authentication code with the 
> given
> +  key. The result is  a binary sample. The algorithm must be one of the
> +  registered OpenSSL message digest names (e.g sha256).

Add a note that the converter is only available with USE_OPENSSL similar
to the sha2() converted.

> diff --git a/src/crypto.c b/src/crypto.c
> new file mode 100644
> index 0..b4f2bfe32
> --- /dev/null
> +++ b/src/crypto.c
> @@ -0,0 +1,84 @@
> +static int sample_conv_crypto_digest(const struct arg *args, struct sample 
> *smp, void *private)
> +{
> + struct buffer *trash = get_trash_chunk();
> + EVP_MD_CTX *ctx = EVP_MD_CTX_new();
> + const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.area);
> + unsigned char *md = (unsigned char*) trash->area;
> + unsigned int md_len = trash->size;
> +
> + if (!ctx)
> + return 0;
> + if (!evp)
Will this leak ctx?

> + return 0;
> +
> + if (!EVP_DigestInit(ctx, evp) ||
> + !EVP_DigestUpdate(ctx, smp->data.u.str.area, smp->data.u.str.data) 
> ||
> + !EVP_DigestFinal(ctx, md, &md_len)) {

The OpenSSL manpage says:

> The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are 
> obsolete but are retained to maintain compatibility with existing code. New 
> applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and 
> EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context 
> instead of initializing and cleaning it up on each call and allow non default 
> implementations of digests to be specified.

.

> + EVP_MD_CTX_free(ctx);
> + return 0;
> + }
> +
> + EVP_MD_CTX_free(ctx);
> +
> + trash->data = md_len;
> + smp->data.u.str = *trash;
> + smp->data.type = SMP_T_BIN;
> + smp->flags &= ~SMP_F_CONST;
> + return 1;
> +}
> +
> +static int sample_conv_crypto_hmac(const struct arg *args, struct sample 
> *smp, void *private)
> +{
> + struct buffer *trash = get_trash_chunk();
> + const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.area);
> + const char* key = args[1].data.str.area;
> + int key_len = args[1].data.str.data;

I'd say that the key should have support for taking the key from a
variable similar to aes_gcm_dec(). I'd also say that the parameter
should be base64 encoded to allow for arbitrary bytes.

> + unsigned char *md = (unsigned char*) trash->area;
> + unsigned int md_len = trash->size;
> +
> + trash->data = 0;
> +
> + if (!evp)
> + return 0;
> +
> + if (!HMAC(evp, key, key_len, (const unsigned char*) 
> smp->data.u.str.area, smp->data.u.str.data, md, &md_len))
> + return 0;
> +
> + trash->data = md_len;
> + smp->data.u.str = *trash;
> + smp->data.type = SMP_T_BIN;
> + smp->flags &= ~SMP_F_CONST;
> + return 1;
> +}
> +
> +static struct sample_conv_kw_list sample_conv_kws = {ILH, {
> + { "digest", sample_conv_crypto_digest, ARG1(1,STR), NULL, 
> SMP_T_BIN, SMP_T_BIN },
> + { "hmac",   sample_conv_crypto_hmac,   ARG2(2,STR,STR), NULL, 
> SMP_T_BIN, SMP_T_BIN },

Add a validation function that checks whether the given hash algorithm
is valid at configuration checking time.

Best regards
Tim Düsterhus

[PATCH] MINOR: crypto: Add digest and hmac converters

[Patrick Gansterer]

Make the digest and HMAC function of OpenSSL accessible to the user via
converters. They can be used to sign and validate content.
---
 Makefile|  2 +-
 doc/configuration.txt   |  9 
 reg-tests/sample_fetches/hashes.vtc | 22 
 src/crypto.c| 84 +
 4 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 1e4213989..2dea46368 100644
--- a/Makefile
+++ b/Makefile
@@ -542,7 +542,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl 
-lcrypto
 ifneq ($(USE_DL),)
 OPTIONS_LDFLAGS += -ldl
 endif
-OPTIONS_OBJS  += src/ssl_sock.o
+OPTIONS_OBJS  += src/crypto.o src/ssl_sock.o
 endif
 
 # The private cache option affect the way the shctx is built
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2e548b66c..17b2debe5 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13918,6 +13918,10 @@ debug([])
   Example:
 tcp-request connection track-sc0 src,debug(track-sc)
 
+digest()
+  Converts a binary input sample to a message digest. The result is a binary
+  sample. The algorithm must be an OpenSSL message digest name (e.g sha256).
+
 div()
   Divides the input value of type signed integer by , and returns the
   result as an signed integer. If  is null, the largest unsigned
@@ -13972,6 +13976,11 @@ hex2i
   Converts a hex string containing two hex digits per input byte to an
   integer. If the input value cannot be converted, then zero is returned.
 
+hmac(, )
+  Converts a binary input sample to a message authentication code with the 
given
+  key. The result is  a binary sample. The algorithm must be one of the
+  registered OpenSSL message digest names (e.g sha256).
+
 http_date([])
   Converts an integer supposed to contain a date since epoch to a string
   representing this date in a format suitable for use in HTTP header fields. If
diff --git a/reg-tests/sample_fetches/hashes.vtc 
b/reg-tests/sample_fetches/hashes.vtc
index 874f81e41..ca641f86c 100644
--- a/reg-tests/sample_fetches/hashes.vtc
+++ b/reg-tests/sample_fetches/hashes.vtc
@@ -38,6 +38,19 @@ haproxy h1 -conf {
 #http-response set-header x-sha2-384 "%[var(res.key),sha2(384),hex]"
 #http-response set-header x-sha2-512 "%[var(res.key),sha2(512),hex]"
 
+# OpenSSL Digest
+#http-response set-header x-digest-sha1 
"%[var(res.key),digest(sha1),hex]"
+#http-response set-header x-digest-sha224 
"%[var(res.key),digest(sha224),hex]"
+#http-response set-header x-digest-sha256 
"%[var(res.key),digest(sha256),hex]"
+#http-response set-header x-digest-sha384 
"%[var(res.key),digest(sha384),hex]"
+#http-response set-header x-digest-sha512 
"%[var(res.key),digest(sha512),hex]"
+
+# OpenSSL HMAC
+#http-response set-header x-hmac-sha1-short 
"%[var(res.key),hmac(sha1,key),hex]"
+#http-response set-header x-hmac-sha1-long 
"%[var(res.key),hmac(sha1,my_super_secret_long_key),hex]"
+#http-response set-header x-hmac-sha256-short 
"%[var(res.key),hmac(sha256,key),hex]"
+#http-response set-header x-hmac-sha256-long 
"%[var(res.key),hmac(sha256,my_super_secret_long_key),hex]"
+
 # 32-bit hashes, and their avalanche variants
 http-response set-header x-crc32   "%[var(res.key),crc32]"
 http-response set-header x-crc32-1 "%[var(res.key),crc32(1)]"
@@ -80,6 +93,15 @@ client c1 -connect ${h1_fe_sock} {
 #expect resp.http.x-sha2-256 == 
"40AFF2E9D2D8922E47AFD4648E6967497158785FBD1DA870E7110266BF944880"
 #expect resp.http.x-sha2-384 == 
"FFDAEBFF65ED05CF400F0221C4CCFB4B2104FB6A51F87E40BE6C4309386BFDEC2892E9179B34632331A59592737DB5C5"
 #expect resp.http.x-sha2-512 == 
"1E7B80BC8EDC552C8FEEB2780E111477E5BC70465FAC1A77B29B35980C3F0CE4A036A6C9462036824BD56801E62AF7E9FEBA5C22ED8A5AF877BF7DE117DCAC6D"
+#expect resp.http.x-digest-sha1 == resp.http.x-digest-sha1
+#expect resp.http.x-digest-sha224 == resp.http.x-sha2-224
+#expect resp.http.x-digest-sha256 == resp.http.x-sha2-256
+#expect resp.http.x-digest-sha384 == resp.http.x-sha2-384
+#expect resp.http.x-digest-sha512 == resp.http.x-sha2-512
+#expect resp.http.x-hmac-sha1-short == 
"98C6C3B2F2701E0C7B0AC31C09C44EFF006C802C"
+#expect resp.http.x-hmac-sha1-long == 
"0E153DC06F81DEC1352EA9394B12754C718E2600"
+#expect resp.http.x-hmac-sha256-short == 
"6AD0A89813F79E827359742225B46DC811D35E920192CFDF60F4955F14A93680"
+#expect resp.http.x-hmac-sha256-long == 
"C8E39024773AB08D937265FFAF22231F851CF00C96C6EE98DF9E0B66FFE7C089"
 expect resp.http.x-crc32 == "688229491"
 expect resp.http.x-crc32-1 == "4230317029"
 expect resp.http.x-crc32c == "2621708363"
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 0..b4f2bfe32
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,84 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2018 Patrick Gansterer 
+ *

[PATCH] ssl defaults enhancements

[Jerome Magnin]

Hi,

please find attached to this mail two patches.
One aims at addressing issue #595 on github, where Anit reports some server
ssl options default values aren't applied when set with default-server or 
ssl-default-server-options directives. 
The other patch adds a new keyword in global section to set default bind curves.
 
Jérôme
>From d86993cbd4476e1901eafdc7fbe88d31ca6f8e90 Mon Sep 17 00:00:00 2001
From: Jerome Magnin 
Date: Wed, 22 Apr 2020 11:40:18 +0200
Subject: [PATCH] BUG/MINOR: ssl: default settings for ssl server options are
 not used

Documentation states that default settings for ssl server options can be set
using either ssl-default-server-options or default-server directives. In 
practice,
not all ssl server options can have default values, such as ssl-min-ver, 
ssl-max-ver,
etc..

This patch adds the missing ssl options in srv_ssl_settings_cpy() and 
srv_parse_ssl(),
making it possible to write configurations like the following examples, and 
have them
behave as expected.

   global
 ssl-default-server-options ssl-max-ver TLSv1.2

   defaults
 mode http

   listen l1
 bind 1.2.3.4:80
 default-server ssl verify none
 server s1 1.2.3.5:443

   listen l2
 bind 2.2.3.4:80
 default-server ssl verify none ssl-max-ver TLSv1.3 ssl-min-ver TLSv1.2
 server s1 1.2.3.6:443

This should be backported as far as 1.8.
This fixes issue #595.
---
 src/server.c   |  9 +
 src/ssl_sock.c | 10 ++
 2 files changed, 19 insertions(+)

diff --git a/src/server.c b/src/server.c
index 4c745d655..f90cfff5a 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1643,6 +1643,15 @@ static void srv_ssl_settings_cpy(struct server *srv, 
struct server *src)
srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
if (src->ssl_ctx.ciphers != NULL)
srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
+   if (src->ssl_ctx.options)
+   srv->ssl_ctx.options = src->ssl_ctx.options;
+   if (src->ssl_ctx.methods.flags)
+   srv->ssl_ctx.methods.flags = src->ssl_ctx.methods.flags;
+   if (src->ssl_ctx.methods.min)
+   srv->ssl_ctx.methods.min = src->ssl_ctx.methods.min;
+   if (src->ssl_ctx.methods.max)
+   srv->ssl_ctx.methods.max = src->ssl_ctx.methods.max;
+
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
if (src->ssl_ctx.ciphersuites != NULL)
srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9077e9114..2d52facb2 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10050,6 +10050,16 @@ static int srv_parse_ssl(char **args, int *cur_arg, 
struct proxy *px, struct ser
if (global_ssl.connect_default_ciphersuites && 
!newsrv->ssl_ctx.ciphersuites)
newsrv->ssl_ctx.ciphersuites = 
strdup(global_ssl.connect_default_ciphersuites);
 #endif
+   newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
+   newsrv->ssl_ctx.methods.flags |= 
global_ssl.connect_default_sslmethods.flags;
+
+   if (!newsrv->ssl_ctx.methods.min)
+   newsrv->ssl_ctx.methods.min = 
global_ssl.connect_default_sslmethods.min;
+
+   if (!newsrv->ssl_ctx.methods.max)
+   newsrv->ssl_ctx.methods.max = 
global_ssl.connect_default_sslmethods.max;
+
+
return 0;
 }
 
-- 
2.26.2

>From e2d311f55f3a3eb5728f5dcf376ed54c672160a3 Mon Sep 17 00:00:00 2001
From: Jerome Magnin 
Date: Fri, 3 Apr 2020 15:28:22 +0200
Subject: [PATCH] MINOR: config: add a global directive to set default SSL
 curves

This commit adds a new keyword to the global section to set default
curves for ssl binds:
  - ssl-default-bind-curves

It is also possible to preset them at build time by setting the macro
LISTEN_DEFAULT_CURVES.
---
 Makefile  |  2 ++
 doc/configuration.txt |  8 
 src/ssl_sock.c| 40 
 3 files changed, 50 insertions(+)

diff --git a/Makefile b/Makefile
index 1e4213989..9e4cdef90 100644
--- a/Makefile
+++ b/Makefile
@@ -238,6 +238,8 @@ ADDLIB =
 #   ciphers on "bind" lines instead of using OpenSSL's defaults.
 #   CONNECT_DEFAULT_CIPHERS is a cipher suite string used to set the default
 #   SSL ciphers on "server" lines instead of using OpenSSL's defaults.
+#   LISTEN_DEFAULT_CURVES is a curve suite string sued to set the default SSL
+#   curves on "bind" lines instead of using OpenSSL's defaults.
 DEFINE =
 SILENT_DEFINE =
 
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2e548b66c..9b0b1d4f7 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -622,6 +622,7 @@ The following keywords are supported in the "global" 
section :
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
+   - ssl-default-bind-curves
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites

[PATCH] MINOR: ssl: add ssl-skip-self-issued-ca global option

[Emmanuel Hocdet]

and voila:



0001-MINOR-ssl-add-ssl-skip-self-issued-ca-global-option.patch
Description: Binary data

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

[William Lallemand]

On Wed, Apr 22, 2020 at 11:23:05AM +0200, Emmanuel Hocdet wrote:
> Hi William,
> 
> It’s ok, thanks. I hope is the case for all of us.
> 
> I will take time to do it.
> 
> ++
> Manu
> 

Okay, thanks!

-- 
William Lallemand

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

[Emmanuel Hocdet]

> Le 21 avr. 2020 à 10:58, William Lallemand  a écrit :
> 
> On Fri, Apr 03, 2020 at 10:34:12AM +0200, Emmanuel Hocdet wrote:
>> 
>>> Le 31 mars 2020 à 18:40, William Lallemand  a écrit 
>>> :
>>> 
>>> On Thu, Mar 26, 2020 at 06:29:48PM +0100, William Lallemand wrote:
 
 After some thinking and discussing with people involved in this part of
 HAProxy. I'm not feeling very confortable with setting this behavior by
 default, on top on that the next version is an LTS so its not a good
 idea to change this behavior yet. I think in most case it won't be a
 problem but it would be better if it's enabled by an option in the
 global section.
 
>>> 
>>> Hi Manu,
>>> 
>>> Could you take a look at this? Because I already merged your first
>>> patch, so if we don't do anything about it we may revert it before the
>>> release.
>>> 
>>> Thanks a lot!
>> 
>> Hi William,
>> 
>> It’s really safe because self Issued CA is the X509 end chain by definition,
>> but yes it change the behaviour.
>> Why not an option in global section.
>> 
>> ++
>> Manu
>> 
> Hello Manu,
> 
> I hope you are well and live well this confinement period.
> 
> Did you had time to work on the documentation patch and the global
> option?
> 

Hi William,

It’s ok, thanks. I hope is the case for all of us.

I will take time to do it.

++
Manu