Re: [PATCH 0/2] ssl chain fetcher
On Wed, Aug 05, 2020 at 03:07:19PM +0200, William Dauchy wrote: > On Wed, Aug 5, 2020 at 2:41 PM William Lallemand > wrote: > > I don't know if this is possible to fix it, but I think must of the SSL > > fetches have > > the problem. > > ok makes sense in that case. So for now I assume there is no easy way > to get the information from a resumed session, right? > As far as I know it's not in memory anymore once it's resumed. -- William Lallemand
Re: [PATCH 0/2] ssl chain fetcher
Hello William, Thanks for your quick answer. On Wed, Aug 5, 2020 at 2:41 PM William Lallemand wrote: > I don't know if this is possible to fix it, but I think must of the SSL > fetches have > the problem. ok makes sense in that case. So for now I assume there is no easy way to get the information from a resumed session, right? > Your patches look good, my only concern is the alloc_trash_chunk() > return value which is not tested, otherwise I'm okay to merge them! fixed in v2. -- William
Re: [PATCH 0/2] ssl chain fetcher
On Wed, Aug 05, 2020 at 11:42:15AM +0200, William Dauchy wrote: > Hi, > > Here is a patch to add a new fetcher for cert chain. > It follows discussion after thread > https://www.mail-archive.com/haproxy@formilux.org/msg35607.html > > It currently does not support session reuse, but I was looking for > inputs about it, whether I could make use of `reused_sess` objects in > haproxy, and in which way. Indeed, as pointed by Emeric in > https://www.mail-archive.com/haproxy@formilux.org/msg37380.html > `SSL_get_peer_cert_chain` returns NULL in case of resumed session. > I don't know if this is possible to fix it, but I think must of the SSL fetches have the problem. Your patches look good, my only concern is the alloc_trash_chunk() return value which is not tested, otherwise I'm okay to merge them! > + smp_trash = get_trash_chunk(); > + tmp_trash = alloc_trash_chunk(); > + for (i = 0; i < num_certs; i++) { > + crt = sk_X509_value(certs, i); > + if (ssl_sock_crt2der(crt, tmp_trash) <= 0) > + goto out; > + chunk_cat(smp_trash, tmp_trash); > + } -- William Lallemand
[PATCH 0/2] ssl chain fetcher
Hi, Here is a patch to add a new fetcher for cert chain. It follows discussion after thread https://www.mail-archive.com/haproxy@formilux.org/msg35607.html It currently does not support session reuse, but I was looking for inputs about it, whether I could make use of `reused_sess` objects in haproxy, and in which way. Indeed, as pointed by Emeric in https://www.mail-archive.com/haproxy@formilux.org/msg37380.html `SSL_get_peer_cert_chain` returns NULL in case of resumed session. Thanks, William Dauchy (2): CLEANUP: ssl: ssl_sock_crt2der semicolon and spaces MINOR: ssl: add ssl_c_chain_der fetch method doc/configuration.txt| 7 ++ reg-tests/ssl/client1.pem| 106 +++ reg-tests/ssl/ssl_client_samples.vtc | 2 + src/ssl_sample.c | 61 +++ src/ssl_utils.c | 6 +- 5 files changed, 179 insertions(+), 3 deletions(-) -- 2.27.0