Re: Potential Bug

2015-11-03 Thread Michael Crilly 
Great ideas. Email marked as a todo for tomorrow. Will report back. 

Thanks. 

- Michael C. 

On 3 Nov 2015, at 18:32, Lukas Tribus  wrote:

>> I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1,
>> installed via standard repositories.
>> 
>> I don't want to go into debugging levels of detail here, but instead
>> will provide a synopsis in the hopes someone knows of a bug already or
>> can confirm it warrants further investigation.
> 
> Some proposal that would help nail it down:
> - can you provide a gdb backtrace (catch the coredump or start haproxy
>   with gdb directly)
> - try (as a workaround) without chroot
> - try (as a alternative trigger) with
>   openssl s_client -cipher LOW -connect  instead of the
>   ssl test
> 
> 
> I don't think the bug is in haproxy, I think you may hit some obscure
> problem in the openssl library, similar to this here:
> http://blog.tinola.com/?e=36
> 
> 
> Maybe that problem reappeared in CentOs 7.1.
> 
> 
> 
> Regards,
> 
> Lukas
> 
>

RE: Potential Bug

2015-11-03 Thread Lukas Tribus 
> I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1,
> installed via standard repositories.
>
> I don't want to go into debugging levels of detail here, but instead
> will provide a synopsis in the hopes someone knows of a bug already or
> can confirm it warrants further investigation.

Some proposal that would help nail it down:
- can you provide a gdb backtrace (catch the coredump or start haproxy
  with gdb directly)
- try (as a workaround) without chroot
- try (as a alternative trigger) with
  openssl s_client -cipher LOW -connect  instead of the
  ssl test


I don't think the bug is in haproxy, I think you may hit some obscure
problem in the openssl library, similar to this here:
http://blog.tinola.com/?e=36


Maybe that problem reappeared in CentOs 7.1.



Regards,

Lukas

Re: Potential Bug

2015-11-02 Thread Michael Crilly 
I think is missing the line from the configuration was a silly thing to do on 
our part, without a doubt. Maybe Qualys' tests contain a test that is meant to 
crash the SSL implementation by design?

We're at the mercy of what version is available to use via the CentOS/EPEL 
mirrors, but I would actually like to see 1.6.1 in place, so perhaps I will 
take that route soon. Compiling from source is swift and our LBs are pretty 
static boxes. 

Thanks for the feedback! 

- Michael C. 

> On 3 Nov 2015, at 17:17, Marco Corte  wrote:
> 
> Hi, Michael!
> 
> The low Qualys rating is the problem, correct?
> 
>> [root@(redacted) ~]# haproxy --version
>> HA-Proxy version 1.5.4 2014/09/02
>> Copyright 2000-2014 Willy Tarreau 
> 
> I would use a newer version. 1.5.15 has been released.
> 
>> In the above configuration, the key component here is
>> 'ssl-default-bind-ciphers'. With this line commented out, as it is
>> above, Qualys SSL Server Test
>> (https://www.ssllabs.com/ssltest/index.html) brings our HAProxy instance
>> to its knees when it reaches the stage of, "Testing deprecated cipher
>> suites". With the line uncommented, and HAProxy restarted, the tests
>> pass fine and we come away with an A rating.
> 
> Without that line, I believe you are actually offering to the connecting 
> client all cyphers provided by your OpenSSL library.
> I am not sure, because I always specified the list of the cyphers that the 
> client should see.
> 
> I found very interesting this pages to find the mix suiting my needs.
> 
> https://mozilla.github.io/server-side-tls/ssl-config-generator/
> https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
> 
> Hope this helps
> 
> .marcoc
>

Re: Potential Bug

2015-11-02 Thread Marco Corte 

Hi, Michael!

The low Qualys rating is the problem, correct?


[root@(redacted) ~]# haproxy --version
HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau 


I would use a newer version. 1.5.15 has been released.


In the above configuration, the key component here is
'ssl-default-bind-ciphers'. With this line commented out, as it is
above, Qualys SSL Server Test
(https://www.ssllabs.com/ssltest/index.html) brings our HAProxy instance
to its knees when it reaches the stage of, "Testing deprecated cipher
suites". With the line uncommented, and HAProxy restarted, the tests
pass fine and we come away with an A rating.


Without that line, I believe you are actually offering to the connecting 
client all cyphers provided by your OpenSSL library.
I am not sure, because I always specified the list of the cyphers that 
the client should see.


I found very interesting this pages to find the mix suiting my needs.

https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

Hope this helps

.marcoc