Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Willy Tarreau]

On Tue, Oct 31, 2017 at 01:35:16PM +0100, Olivier Houchard wrote:
> The attached patch removes the global ssl-allow-0rtt option.

Merged, thanks!
Willy

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Olivier Houchard]

On Fri, Oct 27, 2017 at 03:54:27PM +0200, Emmanuel Hocdet wrote:
> 
> > Le 27 oct. 2017 à 15:02, Olivier Houchard  a écrit :
> > 
> > The attached patch does use the ssl_conf, instead of abusing ssl_options.
> > I also added a new field in global_ssl, I wasn't so sure about this, but
> > decided people may want to enable 0RTT globally.
> > 
> > Emmanuel, is this ok for you ?
> > 
> 
> In global option seem a bad idea.
> 
> My opinion about global ssl ‘options’ for bind.
> . Good fit is in ssl-default-bind-options. It can be extend to more options 
> like
> generate-cert, strict-sni, ….
> (In this case have a kw_list will be good idea to have something better than 
> parsing in if/then/else
> in ssl_parse_default_bind_options)
> . Some options have already 2 locations for configuration (bind line and per 
> certificats), we really
> need a third? And some options are not really good candidate.
> 
> ++
> Manu
> 

Hi,

The attached patch removes the global ssl-allow-0rtt option.

Regards,

Olivier
>From 119a9c1b5324c4ef0636bc35d8e431a17c287076 Mon Sep 17 00:00:00 2001
From: Olivier Houchard 
Date: Tue, 31 Oct 2017 13:32:10 +0100
Subject: [PATCH] MINOR: ssl: Remove the global allow-0rtt option.

---
 doc/configuration.txt |  4 
 src/ssl_sock.c| 20 
 2 files changed, 24 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 8d0624839..67b888905 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -847,10 +847,6 @@ resetenv [ ...]
   next line in the configuration file sees the new environment. See also
   "setenv", "presetenv", and "unsetenv".
 
-ssl-allow-0rtt
-  Allow using 0RTT on every listener. 0RTT is prone to various attacks, so be
-  sure to know the security implications before activating it.
-
 stats bind-process [ all | odd | even | [-] ] ...
   Limits the stats socket to a certain set of processes numbers. By default the
   stats socket is bound to all processes, causing a warning to be emitted when
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 13d952652..7f52c4057 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -166,7 +166,6 @@ static struct {
char *crt_base; /* base directory path for certificates */
char *ca_base;  /* base directory path for CAs and CRLs */
int  async; /* whether we use ssl async mode */
-   int default_early_data; /* Shall we default to allow early data */
 
char *listen_default_ciphers;
char *connect_default_ciphers;
@@ -7325,7 +7324,6 @@ static int bind_parse_ssl(char **args, int cur_arg, 
struct proxy *px, struct bin
conf->ssl_conf.ciphers = 
strdup(global_ssl.listen_default_ciphers);
conf->ssl_options |= global_ssl.listen_default_ssloptions;
conf->ssl_conf.ssl_methods.flags |= 
global_ssl.listen_default_sslmethods.flags;
-   conf->ssl_conf.early_data = global_ssl.default_early_data;
if (!conf->ssl_conf.ssl_methods.min)
conf->ssl_conf.ssl_methods.min = 
global_ssl.listen_default_sslmethods.min;
if (!conf->ssl_conf.ssl_methods.max)
@@ -7819,23 +7817,6 @@ static int ssl_parse_global_ca_crt_base(char **args, int 
section_type, struct pr
return 0;
 }
 
-/* parse the "ssl-allow-0rtt" keyword in global section.
- * Returns <0 on alert, >0 on warning, 0 on success.
- */
-static int ssl_parse_global_ssl_allow_0rtt(char **args, int section_type,
-struct proxy *curpx, struct proxy *defpx, const char *file, int line,
-char **err)
-{
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-global_ssl.default_early_data = 1;
-return 0;
-#else
-memprintf(err, "'%s': openssl library does not early data", args[0]);
-return -1;
-#endif
-
-}
-
 /* parse the "ssl-mode-async" keyword in global section.
  * Returns <0 on alert, >0 on warning, 0 on success.
  */
@@ -8526,7 +8507,6 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "ca-base",  ssl_parse_global_ca_crt_base },
{ CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base },
{ CFG_GLOBAL, "maxsslconn", ssl_parse_global_int },
-   { CFG_GLOBAL, "ssl-allow-0rtt", ssl_parse_global_ssl_allow_0rtt },
{ CFG_GLOBAL, "ssl-default-bind-options", 
ssl_parse_default_bind_options },
{ CFG_GLOBAL, "ssl-default-server-options", 
ssl_parse_default_server_options },
 #ifndef OPENSSL_NO_DH
-- 
2.13.5

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Willy Tarreau]

On Fri, Oct 27, 2017 at 03:54:27PM +0200, Emmanuel Hocdet wrote:
> > Le 27 oct. 2017 à 15:02, Olivier Houchard  a écrit :
> > 
> > The attached patch does use the ssl_conf, instead of abusing ssl_options.
> > I also added a new field in global_ssl, I wasn't so sure about this, but
> > decided people may want to enable 0RTT globally.
> > 
> > Emmanuel, is this ok for you ?
> > 
> 
> In global option seem a bad idea.

Oh crap, sorry, I thought I understood in a parallel thread this one was
for merging and I merged it. Spending too much time reviewing hundreds of
patches for merging these days and not enough finishing to reintegrate the
latest bits of H2. So any change will have to be done on top of this one
now.

Cheers,
Willy

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Emmanuel Hocdet]

> Le 27 oct. 2017 à 15:02, Olivier Houchard  a écrit :
> 
> The attached patch does use the ssl_conf, instead of abusing ssl_options.
> I also added a new field in global_ssl, I wasn't so sure about this, but
> decided people may want to enable 0RTT globally.
> 
> Emmanuel, is this ok for you ?
> 

In global option seem a bad idea.

My opinion about global ssl ‘options’ for bind.
. Good fit is in ssl-default-bind-options. It can be extend to more options like
generate-cert, strict-sni, ….
(In this case have a kw_list will be good idea to have something better than 
parsing in if/then/else
in ssl_parse_default_bind_options)
. Some options have already 2 locations for configuration (bind line and per 
certificats), we really
need a third? And some options are not really good candidate.

++
Manu

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Olivier Houchard]

Hi,

On Fri, Oct 27, 2017 at 12:45:36PM +0200, Olivier Houchard wrote:
> On Fri, Oct 27, 2017 at 12:36:31PM +0200, Emmanuel Hocdet wrote:
> > 
> > > Le 27 oct. 2017 ?? 11:22, Emmanuel Hocdet  a ??crit :
> > > 
> > > Hi Olivier
> > > 
> > >> Le 27 oct. 2017 ?? 01:08, Olivier Houchard  a 
> > >> ??crit :
> > >> 
> > >> Hi,
> > >> 
> > >> You'll find attached updated patches, rebased on the latest master, and 
> > >> on
> > >> top of Emmanuel's latest patches (also attached for reference).
> > >> This version allows to enable 0RTT per SNI.
> > >> It unfortunately still can't send early data to servers, this may or may
> > >> not happen later.
> > > 
> > > why add BC_SSL_O_EARLY_DATA?
> > > the information could be set in  conf->default_ssl_conf->early_data like
> > > in the same manner as per certificat configuration.
> > 
> > okay it???s bind_conf->ssl_conf.early_data   (my quick patch was not the 
> > good one)
> > 
> > You add allow-0rtt in global ssl_options, originally is only for ssl 
> > options (api) and i???m not sure
> > it???s really necessary for this special feature.
> > 
> 
> That indeed would do the trick, I'll change that.
> 
> Regards,
> 
> Olivier

The attached patch does use the ssl_conf, instead of abusing ssl_options.
I also added a new field in global_ssl, I wasn't so sure about this, but
decided people may want to enable 0RTT globally.

Emmanuel, is this ok for you ?

Regards,

Olivier
>From 742a5598f1171a81b5fc58cc500382dc819fa579 Mon Sep 17 00:00:00 2001
From: Olivier Houchard 
Date: Fri, 27 Oct 2017 14:58:08 +0200
Subject: [PATCH] MINOR: ssl: Don't abuse ssl_options.

A bind_conf does contain a ssl_bind_conf, which already has a flag to know
if early data are activated, so use that, instead of adding a new flag in
the ssl_options field.
---
 doc/configuration.txt|  4 
 include/types/listener.h |  1 -
 src/ssl_sock.c   | 26 ++
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index cf0d69606..b63ceb408 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -847,6 +847,10 @@ resetenv [ ...]
   next line in the configuration file sees the new environment. See also
   "setenv", "presetenv", and "unsetenv".
 
+ssl-allow-0rtt
+  Allow using 0RTT on every listener. 0RTT is prone to various attacks, so be
+  sure to know the security implications before activating it.
+
 stats bind-process [ all | odd | even | [-] ] ...
   Limits the stats socket to a certain set of processes numbers. By default the
   stats socket is bound to all processes, causing a warning to be emitted when
diff --git a/include/types/listener.h b/include/types/listener.h
index 19d1dbe3b..bcebea810 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -105,7 +105,6 @@ enum li_state {
 #define BC_SSL_O_NONE   0x
 #define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #define BC_SSL_O_PREF_CLIE_CIPH 0x0200  /* prefer client ciphers */
-#define BC_SSL_O_EARLY_DATA 0x0400  /* Accept early data */
 #endif
 
 /* ssl "bind" settings */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 844be0a0e..62fcd00bd 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -165,6 +165,7 @@ static struct {
char *crt_base; /* base directory path for certificates */
char *ca_base;  /* base directory path for CAs and CRLs */
int  async; /* whether we use ssl async mode */
+   int default_early_data; /* Shall we default to allow early data */
 
char *listen_default_ciphers;
char *connect_default_ciphers;
@@ -2009,7 +2010,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void 
*arg)
conn = SSL_get_app_data(ssl);
s = objt_listener(conn->target)->bind_conf;
 
-   if (s->ssl_options & BC_SSL_O_EARLY_DATA)
+   if (s->ssl_conf.early_data)
allow_early = 1;
 #ifdef OPENSSL_IS_BORINGSSL
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
@@ -6976,7 +6977,7 @@ static int ssl_bind_parse_allow_0rtt(char **args, int 
cur_arg, struct proxy *px,
 
 static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, 
struct bind_conf *conf, char **err)
 {
-   conf->ssl_options |= BC_SSL_O_EARLY_DATA;
+   conf->ssl_conf.early_data = 1;
return 0;
 }
 
@@ -7102,6 +7103,7 @@ static int bind_parse_ssl(char **args, int cur_arg, 
struct proxy *px, struct bin
conf->ssl_conf.ciphers = 
strdup(global_ssl.listen_default_ciphers);
conf->ssl_options |= global_ssl.listen_default_ssloptions;
conf->ssl_conf.ssl_methods.flags |= 
global_ssl.listen_default_sslmethods.flags;
+   conf->ssl_conf.early_data = global_ssl.default_early_data;
if (!conf->ssl_conf.ssl_methods.min)
conf->ssl_conf.ssl_methods.min = 

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Olivier Houchard]

On Fri, Oct 27, 2017 at 12:36:31PM +0200, Emmanuel Hocdet wrote:
> 
> > Le 27 oct. 2017 ?? 11:22, Emmanuel Hocdet  a ??crit :
> > 
> > Hi Olivier
> > 
> >> Le 27 oct. 2017 ?? 01:08, Olivier Houchard  a 
> >> ??crit :
> >> 
> >> Hi,
> >> 
> >> You'll find attached updated patches, rebased on the latest master, and on
> >> top of Emmanuel's latest patches (also attached for reference).
> >> This version allows to enable 0RTT per SNI.
> >> It unfortunately still can't send early data to servers, this may or may
> >> not happen later.
> > 
> > why add BC_SSL_O_EARLY_DATA?
> > the information could be set in  conf->default_ssl_conf->early_data like
> > in the same manner as per certificat configuration.
> 
> okay it???s bind_conf->ssl_conf.early_data   (my quick patch was not the good 
> one)
> 
> You add allow-0rtt in global ssl_options, originally is only for ssl options 
> (api) and i???m not sure
> it???s really necessary for this special feature.
> 

That indeed would do the trick, I'll change that.

Regards,

Olivier

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Olivier Houchard]

On Fri, Oct 27, 2017 at 11:22:15AM +0200, Emmanuel Hocdet wrote:
> Hi Olivier
> 
> > Le 27 oct. 2017 ?? 01:08, Olivier Houchard  a ??crit 
> > :
> > 
> > Hi,
> > 
> > You'll find attached updated patches, rebased on the latest master, and on
> > top of Emmanuel's latest patches (also attached for reference).
> > This version allows to enable 0RTT per SNI.
> > It unfortunately still can't send early data to servers, this may or may
> > not happen later.
> 
> why add BC_SSL_O_EARLY_DATA?
> the information could be set in  conf->default_ssl_conf->early_data like
> in the same manner as per certificat configuration.
> 

Hi Emmanuel,

Because in my experience, we don't always have a default_ssl_conf. We only
have one if a crt_list file is provided.

Regards,

Olivier

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Emmanuel Hocdet]

> Le 27 oct. 2017 à 11:22, Emmanuel Hocdet  a écrit :
> 
> Hi Olivier
> 
>> Le 27 oct. 2017 à 01:08, Olivier Houchard  a écrit :
>> 
>> Hi,
>> 
>> You'll find attached updated patches, rebased on the latest master, and on
>> top of Emmanuel's latest patches (also attached for reference).
>> This version allows to enable 0RTT per SNI.
>> It unfortunately still can't send early data to servers, this may or may
>> not happen later.
> 
> why add BC_SSL_O_EARLY_DATA?
> the information could be set in  conf->default_ssl_conf->early_data like
> in the same manner as per certificat configuration.

okay it’s bind_conf->ssl_conf.early_data   (my quick patch was not the good one)

You add allow-0rtt in global ssl_options, originally is only for ssl options 
(api) and i’m not sure
it’s really necessary for this special feature.

++
Manu

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Emmanuel Hocdet]

Hi Olivier

> Le 27 oct. 2017 à 01:08, Olivier Houchard  a écrit :
> 
> Hi,
> 
> You'll find attached updated patches, rebased on the latest master, and on
> top of Emmanuel's latest patches (also attached for reference).
> This version allows to enable 0RTT per SNI.
> It unfortunately still can't send early data to servers, this may or may
> not happen later.

why add BC_SSL_O_EARLY_DATA?
the information could be set in  conf->default_ssl_conf->early_data like
in the same manner as per certificat configuration.

++
Manu

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Willy Tarreau]

Hi Olivier,

On Fri, Oct 27, 2017 at 01:08:05AM +0200, Olivier Houchard wrote:
> Hi,
> 
> You'll find attached updated patches, rebased on the latest master, and on
> top of Emmanuel's latest patches (also attached for reference).
> This version allows to enable 0RTT per SNI.
> It unfortunately still can't send early data to servers, this may or may
> not happen later.

Thank you, now merged! (and I could rebase the connection mux on top of it).

Willy

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Olivier Houchard]

Hi,

You'll find attached updated patches, rebased on the latest master, and on
top of Emmanuel's latest patches (also attached for reference).
This version allows to enable 0RTT per SNI.
It unfortunately still can't send early data to servers, this may or may
not happen later.

Regards,

Olivier
>From 25d10a4b30d946de138ccdd3b2595fa84a9da675 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet 
Date: Wed, 16 Aug 2017 11:28:44 +0200
Subject: [PATCH 1/6] MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral
 code

switchctx early callback is only supported for BoringSSL. To prepare
the support of openssl 1.1.1 early callback, convert CBS api to neutral
code to work with any ssl libs.
---
 src/ssl_sock.c | 109 ++---
 1 file changed, 58 insertions(+), 51 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 3d9723949..25b846b25 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1965,50 +1965,57 @@ static int ssl_sock_switchctx_err_cbk(SSL *ssl, int 
*al, void *priv)
 
 static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx)
 {
+   SSL *ssl = ctx->ssl;
struct connection *conn;
struct bind_conf *s;
const uint8_t *extension_data;
size_t extension_len;
-   CBS extension, cipher_suites, server_name_list, host_name, sig_algs;
-   const SSL_CIPHER *cipher;
-   uint16_t cipher_suite;
-   uint8_t name_type, hash, sign;
int has_rsa = 0, has_ecdsa = 0, has_ecdsa_sig = 0;
 
char *wildp = NULL;
const uint8_t *servername;
+   size_t servername_len;
struct ebmb_node *node, *n, *node_ecdsa = NULL, *node_rsa = NULL, 
*node_anonymous = NULL;
int i;
 
-   conn = SSL_get_app_data(ctx->ssl);
+   conn = SSL_get_app_data(ssl);
s = objt_listener(conn->target)->bind_conf;
 
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
 _data, 
_len)) {
-   CBS_init(, extension_data, extension_len);
-
-   if (!CBS_get_u16_length_prefixed(, _name_list)
-   || !CBS_get_u8(_name_list, _type)
-   /* Although the server_name extension was intended to be 
extensible to
-* new name types and multiple names, OpenSSL 1.0.x had a 
bug which meant
-* different name types will cause an error. Further, RFC 
4366 originally
-* defined syntax inextensibly. RFC 6066 corrected this 
mistake, but
-* adding new name types is no longer feasible.
-*
-* Act as if the extensibility does not exist to simplify 
parsing. */
-   || !CBS_get_u16_length_prefixed(_name_list, 
_name)
-   || CBS_len(_name_list) != 0
-   || CBS_len() != 0
-   || name_type != TLSEXT_NAMETYPE_host_name
-   || CBS_len(_name) == 0
-   || CBS_len(_name) > TLSEXT_MAXLEN_host_name
-   || CBS_contains_zero_byte(_name)) {
+   /*
+* The server_name extension was given too much extensibility 
when it
+* was written, so parsing the normal case is a bit complex.
+*/
+   size_t len;
+   if (extension_len <= 2)
goto abort;
-   }
+   /* Extract the length of the supplied list of names. */
+   len = (*extension_data++) << 8;
+   len |= *extension_data++;
+   if (len + 2 != extension_len)
+   goto abort;
+   /*
+* The list in practice only has a single element, so we only 
consider
+* the first one.
+*/
+   if (len == 0 || *extension_data++ != TLSEXT_NAMETYPE_host_name)
+   goto abort;
+   extension_len = len - 1;
+   /* Now we can finally pull out the byte array with the actual 
hostname. */
+   if (extension_len <= 2)
+   goto abort;
+   len = (*extension_data++) << 8;
+   len |= *extension_data++;
+   if (len == 0 || len + 2 > extension_len || len > 
TLSEXT_MAXLEN_host_name
+   || memchr(extension_data, 0, len) != NULL)
+   goto abort;
+   servername = extension_data;
+   servername_len = len;
} else {
/* without SNI extension, is the default_ctx (need 
SSL_TLSEXT_ERR_NOACK) */
if (!s->strict_sni) {
-   ssl_sock_switchctx_set(ctx->ssl, s->default_ctx);
+   ssl_sock_switchctx_set(ssl, s->default_ctx);
return 1;
}
goto abort;
@@ -2016,21 +2023,19 @@ static int ssl_sock_switchctx_cbk(const 

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Emmanuel Hocdet]

Hi Olivier,

Great to see a version of more ‘secure’ 0-RTT implementation.

> Le 2 oct. 2017 à 17:18, Olivier Houchard  a écrit :
> 
> Hi,
> 
> The attached patches add experimental support for 0-RTT with OpenSSL 1.1.1
> They are based on Emmanuel's previous patches, so I'm submitting them again,
> updated to reflect the changes in OpenSSL API, and with a few fixes.
> To allow the use of early data, one has to explicitely add "allow-0rtt" to
> its bind line. If early data are provided by the client, a
> "Early-Data: 1" header will be added, to let the origin server know that.
> 
> Because early data have security implications, a new sample fetch was added,
> "ssl_fc_has_early", a boolean that will be evaluated to true if early data
> were provided, as well as new action, "wait-for-handshake", which will make
> haproxy wait for the completion of the SSL handshake before processing the
> request. After the handshake, early data are considered as normal data, and
> they won't be reported to the origin server.
> 
> As usual, bugs are to be expected, and any review and/or test will be
> appreciated.
> 

I have tested the experimental version of 0-RTT few months ago with BoringSSL
and the option it’s a great candidate to per-certificat parameter. I attach the 
patch
to show howto set it (without BC_SSL_O_* flag).

I hope to be able to review your work in more detail.

++
Manu



early_data.diff
Description: Binary data

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

[Olivier Houchard]

Hi Igor,

On Tue, Oct 03, 2017 at 12:06:05AM +0800, Igor Pav wrote:
> It's excited, does server line(client side) support 0-rtt?
> 

Unfortunately, it does not yet. I'm investigating adding it.

Regards,

Olivier

> On Mon, Oct 2, 2017 at 11:18 PM, Olivier Houchard  
> wrote:
> > Hi,
> >
> > The attached patches add experimental support for 0-RTT with OpenSSL 1.1.1
> > They are based on Emmanuel's previous patches, so I'm submitting them again,
> > updated to reflect the changes in OpenSSL API, and with a few fixes.
> > To allow the use of early data, one has to explicitely add "allow-0rtt" to
> > its bind line. If early data are provided by the client, a
> > "Early-Data: 1" header will be added, to let the origin server know that.
> >
> > Because early data have security implications, a new sample fetch was added,
> > "ssl_fc_has_early", a boolean that will be evaluated to true if early data
> > were provided, as well as new action, "wait-for-handshake", which will make
> > haproxy wait for the completion of the SSL handshake before processing the
> > request. After the handshake, early data are considered as normal data, and
> > they won't be reported to the origin server.
> >
> > As usual, bugs are to be expected, and any review and/or test will be
> > appreciated.
> >
> > Regards,
> >
> > Olivier
>