Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
On Tue, Oct 31, 2017 at 01:35:16PM +0100, Olivier Houchard wrote: > The attached patch removes the global ssl-allow-0rtt option. Merged, thanks! Willy
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
On Fri, Oct 27, 2017 at 03:54:27PM +0200, Emmanuel Hocdet wrote: > > > Le 27 oct. 2017 à 15:02, Olivier Houcharda écrit : > > > > The attached patch does use the ssl_conf, instead of abusing ssl_options. > > I also added a new field in global_ssl, I wasn't so sure about this, but > > decided people may want to enable 0RTT globally. > > > > Emmanuel, is this ok for you ? > > > > In global option seem a bad idea. > > My opinion about global ssl ‘options’ for bind. > . Good fit is in ssl-default-bind-options. It can be extend to more options > like > generate-cert, strict-sni, …. > (In this case have a kw_list will be good idea to have something better than > parsing in if/then/else > in ssl_parse_default_bind_options) > . Some options have already 2 locations for configuration (bind line and per > certificats), we really > need a third? And some options are not really good candidate. > > ++ > Manu > Hi, The attached patch removes the global ssl-allow-0rtt option. Regards, Olivier >From 119a9c1b5324c4ef0636bc35d8e431a17c287076 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Tue, 31 Oct 2017 13:32:10 +0100 Subject: [PATCH] MINOR: ssl: Remove the global allow-0rtt option. --- doc/configuration.txt | 4 src/ssl_sock.c| 20 2 files changed, 24 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 8d0624839..67b888905 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -847,10 +847,6 @@ resetenv [ ...] next line in the configuration file sees the new environment. See also "setenv", "presetenv", and "unsetenv". -ssl-allow-0rtt - Allow using 0RTT on every listener. 0RTT is prone to various attacks, so be - sure to know the security implications before activating it. - stats bind-process [ all | odd | even | [-] ] ... Limits the stats socket to a certain set of processes numbers. By default the stats socket is bound to all processes, causing a warning to be emitted when diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 13d952652..7f52c4057 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -166,7 +166,6 @@ static struct { char *crt_base; /* base directory path for certificates */ char *ca_base; /* base directory path for CAs and CRLs */ int async; /* whether we use ssl async mode */ - int default_early_data; /* Shall we default to allow early data */ char *listen_default_ciphers; char *connect_default_ciphers; @@ -7325,7 +7324,6 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); conf->ssl_options |= global_ssl.listen_default_ssloptions; conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags; - conf->ssl_conf.early_data = global_ssl.default_early_data; if (!conf->ssl_conf.ssl_methods.min) conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min; if (!conf->ssl_conf.ssl_methods.max) @@ -7819,23 +7817,6 @@ static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct pr return 0; } -/* parse the "ssl-allow-0rtt" keyword in global section. - * Returns <0 on alert, >0 on warning, 0 on success. - */ -static int ssl_parse_global_ssl_allow_0rtt(char **args, int section_type, -struct proxy *curpx, struct proxy *defpx, const char *file, int line, -char **err) -{ -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) -global_ssl.default_early_data = 1; -return 0; -#else -memprintf(err, "'%s': openssl library does not early data", args[0]); -return -1; -#endif - -} - /* parse the "ssl-mode-async" keyword in global section. * Returns <0 on alert, >0 on warning, 0 on success. */ @@ -8526,7 +8507,6 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "ca-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "maxsslconn", ssl_parse_global_int }, - { CFG_GLOBAL, "ssl-allow-0rtt", ssl_parse_global_ssl_allow_0rtt }, { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options }, { CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options }, #ifndef OPENSSL_NO_DH -- 2.13.5
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
On Fri, Oct 27, 2017 at 03:54:27PM +0200, Emmanuel Hocdet wrote: > > Le 27 oct. 2017 à 15:02, Olivier Houcharda écrit : > > > > The attached patch does use the ssl_conf, instead of abusing ssl_options. > > I also added a new field in global_ssl, I wasn't so sure about this, but > > decided people may want to enable 0RTT globally. > > > > Emmanuel, is this ok for you ? > > > > In global option seem a bad idea. Oh crap, sorry, I thought I understood in a parallel thread this one was for merging and I merged it. Spending too much time reviewing hundreds of patches for merging these days and not enough finishing to reintegrate the latest bits of H2. So any change will have to be done on top of this one now. Cheers, Willy
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
> Le 27 oct. 2017 à 15:02, Olivier Houcharda écrit : > > The attached patch does use the ssl_conf, instead of abusing ssl_options. > I also added a new field in global_ssl, I wasn't so sure about this, but > decided people may want to enable 0RTT globally. > > Emmanuel, is this ok for you ? > In global option seem a bad idea. My opinion about global ssl ‘options’ for bind. . Good fit is in ssl-default-bind-options. It can be extend to more options like generate-cert, strict-sni, …. (In this case have a kw_list will be good idea to have something better than parsing in if/then/else in ssl_parse_default_bind_options) . Some options have already 2 locations for configuration (bind line and per certificats), we really need a third? And some options are not really good candidate. ++ Manu
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
Hi, On Fri, Oct 27, 2017 at 12:45:36PM +0200, Olivier Houchard wrote: > On Fri, Oct 27, 2017 at 12:36:31PM +0200, Emmanuel Hocdet wrote: > > > > > Le 27 oct. 2017 ?? 11:22, Emmanuel Hocdeta ??crit : > > > > > > Hi Olivier > > > > > >> Le 27 oct. 2017 ?? 01:08, Olivier Houchard a > > >> ??crit : > > >> > > >> Hi, > > >> > > >> You'll find attached updated patches, rebased on the latest master, and > > >> on > > >> top of Emmanuel's latest patches (also attached for reference). > > >> This version allows to enable 0RTT per SNI. > > >> It unfortunately still can't send early data to servers, this may or may > > >> not happen later. > > > > > > why add BC_SSL_O_EARLY_DATA? > > > the information could be set in conf->default_ssl_conf->early_data like > > > in the same manner as per certificat configuration. > > > > okay it???s bind_conf->ssl_conf.early_data (my quick patch was not the > > good one) > > > > You add allow-0rtt in global ssl_options, originally is only for ssl > > options (api) and i???m not sure > > it???s really necessary for this special feature. > > > > That indeed would do the trick, I'll change that. > > Regards, > > Olivier The attached patch does use the ssl_conf, instead of abusing ssl_options. I also added a new field in global_ssl, I wasn't so sure about this, but decided people may want to enable 0RTT globally. Emmanuel, is this ok for you ? Regards, Olivier >From 742a5598f1171a81b5fc58cc500382dc819fa579 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Fri, 27 Oct 2017 14:58:08 +0200 Subject: [PATCH] MINOR: ssl: Don't abuse ssl_options. A bind_conf does contain a ssl_bind_conf, which already has a flag to know if early data are activated, so use that, instead of adding a new flag in the ssl_options field. --- doc/configuration.txt| 4 include/types/listener.h | 1 - src/ssl_sock.c | 26 ++ 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index cf0d69606..b63ceb408 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -847,6 +847,10 @@ resetenv [ ...] next line in the configuration file sees the new environment. See also "setenv", "presetenv", and "unsetenv". +ssl-allow-0rtt + Allow using 0RTT on every listener. 0RTT is prone to various attacks, so be + sure to know the security implications before activating it. + stats bind-process [ all | odd | even | [-] ] ... Limits the stats socket to a certain set of processes numbers. By default the stats socket is bound to all processes, causing a warning to be emitted when diff --git a/include/types/listener.h b/include/types/listener.h index 19d1dbe3b..bcebea810 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -105,7 +105,6 @@ enum li_state { #define BC_SSL_O_NONE 0x #define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ #define BC_SSL_O_PREF_CLIE_CIPH 0x0200 /* prefer client ciphers */ -#define BC_SSL_O_EARLY_DATA 0x0400 /* Accept early data */ #endif /* ssl "bind" settings */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 844be0a0e..62fcd00bd 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -165,6 +165,7 @@ static struct { char *crt_base; /* base directory path for certificates */ char *ca_base; /* base directory path for CAs and CRLs */ int async; /* whether we use ssl async mode */ + int default_early_data; /* Shall we default to allow early data */ char *listen_default_ciphers; char *connect_default_ciphers; @@ -2009,7 +2010,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) conn = SSL_get_app_data(ssl); s = objt_listener(conn->target)->bind_conf; - if (s->ssl_options & BC_SSL_O_EARLY_DATA) + if (s->ssl_conf.early_data) allow_early = 1; #ifdef OPENSSL_IS_BORINGSSL if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name, @@ -6976,7 +6977,7 @@ static int ssl_bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->ssl_options |= BC_SSL_O_EARLY_DATA; + conf->ssl_conf.early_data = 1; return 0; } @@ -7102,6 +7103,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); conf->ssl_options |= global_ssl.listen_default_ssloptions; conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags; + conf->ssl_conf.early_data = global_ssl.default_early_data; if (!conf->ssl_conf.ssl_methods.min) conf->ssl_conf.ssl_methods.min =
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
On Fri, Oct 27, 2017 at 12:36:31PM +0200, Emmanuel Hocdet wrote: > > > Le 27 oct. 2017 ?? 11:22, Emmanuel Hocdeta ??crit : > > > > Hi Olivier > > > >> Le 27 oct. 2017 ?? 01:08, Olivier Houchard a > >> ??crit : > >> > >> Hi, > >> > >> You'll find attached updated patches, rebased on the latest master, and on > >> top of Emmanuel's latest patches (also attached for reference). > >> This version allows to enable 0RTT per SNI. > >> It unfortunately still can't send early data to servers, this may or may > >> not happen later. > > > > why add BC_SSL_O_EARLY_DATA? > > the information could be set in conf->default_ssl_conf->early_data like > > in the same manner as per certificat configuration. > > okay it???s bind_conf->ssl_conf.early_data (my quick patch was not the good > one) > > You add allow-0rtt in global ssl_options, originally is only for ssl options > (api) and i???m not sure > it???s really necessary for this special feature. > That indeed would do the trick, I'll change that. Regards, Olivier
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
On Fri, Oct 27, 2017 at 11:22:15AM +0200, Emmanuel Hocdet wrote: > Hi Olivier > > > Le 27 oct. 2017 ?? 01:08, Olivier Houcharda ??crit > > : > > > > Hi, > > > > You'll find attached updated patches, rebased on the latest master, and on > > top of Emmanuel's latest patches (also attached for reference). > > This version allows to enable 0RTT per SNI. > > It unfortunately still can't send early data to servers, this may or may > > not happen later. > > why add BC_SSL_O_EARLY_DATA? > the information could be set in conf->default_ssl_conf->early_data like > in the same manner as per certificat configuration. > Hi Emmanuel, Because in my experience, we don't always have a default_ssl_conf. We only have one if a crt_list file is provided. Regards, Olivier
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
> Le 27 oct. 2017 à 11:22, Emmanuel Hocdeta écrit : > > Hi Olivier > >> Le 27 oct. 2017 à 01:08, Olivier Houchard a écrit : >> >> Hi, >> >> You'll find attached updated patches, rebased on the latest master, and on >> top of Emmanuel's latest patches (also attached for reference). >> This version allows to enable 0RTT per SNI. >> It unfortunately still can't send early data to servers, this may or may >> not happen later. > > why add BC_SSL_O_EARLY_DATA? > the information could be set in conf->default_ssl_conf->early_data like > in the same manner as per certificat configuration. okay it’s bind_conf->ssl_conf.early_data (my quick patch was not the good one) You add allow-0rtt in global ssl_options, originally is only for ssl options (api) and i’m not sure it’s really necessary for this special feature. ++ Manu
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
Hi Olivier > Le 27 oct. 2017 à 01:08, Olivier Houcharda écrit : > > Hi, > > You'll find attached updated patches, rebased on the latest master, and on > top of Emmanuel's latest patches (also attached for reference). > This version allows to enable 0RTT per SNI. > It unfortunately still can't send early data to servers, this may or may > not happen later. why add BC_SSL_O_EARLY_DATA? the information could be set in conf->default_ssl_conf->early_data like in the same manner as per certificat configuration. ++ Manu
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
Hi Olivier, On Fri, Oct 27, 2017 at 01:08:05AM +0200, Olivier Houchard wrote: > Hi, > > You'll find attached updated patches, rebased on the latest master, and on > top of Emmanuel's latest patches (also attached for reference). > This version allows to enable 0RTT per SNI. > It unfortunately still can't send early data to servers, this may or may > not happen later. Thank you, now merged! (and I could rebase the connection mux on top of it). Willy
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
Hi, You'll find attached updated patches, rebased on the latest master, and on top of Emmanuel's latest patches (also attached for reference). This version allows to enable 0RTT per SNI. It unfortunately still can't send early data to servers, this may or may not happen later. Regards, Olivier >From 25d10a4b30d946de138ccdd3b2595fa84a9da675 Mon Sep 17 00:00:00 2001 From: Emmanuel HocdetDate: Wed, 16 Aug 2017 11:28:44 +0200 Subject: [PATCH 1/6] MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs. --- src/ssl_sock.c | 109 ++--- 1 file changed, 58 insertions(+), 51 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 3d9723949..25b846b25 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1965,50 +1965,57 @@ static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx) { + SSL *ssl = ctx->ssl; struct connection *conn; struct bind_conf *s; const uint8_t *extension_data; size_t extension_len; - CBS extension, cipher_suites, server_name_list, host_name, sig_algs; - const SSL_CIPHER *cipher; - uint16_t cipher_suite; - uint8_t name_type, hash, sign; int has_rsa = 0, has_ecdsa = 0, has_ecdsa_sig = 0; char *wildp = NULL; const uint8_t *servername; + size_t servername_len; struct ebmb_node *node, *n, *node_ecdsa = NULL, *node_rsa = NULL, *node_anonymous = NULL; int i; - conn = SSL_get_app_data(ctx->ssl); + conn = SSL_get_app_data(ssl); s = objt_listener(conn->target)->bind_conf; if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name, _data, _len)) { - CBS_init(, extension_data, extension_len); - - if (!CBS_get_u16_length_prefixed(, _name_list) - || !CBS_get_u8(_name_list, _type) - /* Although the server_name extension was intended to be extensible to -* new name types and multiple names, OpenSSL 1.0.x had a bug which meant -* different name types will cause an error. Further, RFC 4366 originally -* defined syntax inextensibly. RFC 6066 corrected this mistake, but -* adding new name types is no longer feasible. -* -* Act as if the extensibility does not exist to simplify parsing. */ - || !CBS_get_u16_length_prefixed(_name_list, _name) - || CBS_len(_name_list) != 0 - || CBS_len() != 0 - || name_type != TLSEXT_NAMETYPE_host_name - || CBS_len(_name) == 0 - || CBS_len(_name) > TLSEXT_MAXLEN_host_name - || CBS_contains_zero_byte(_name)) { + /* +* The server_name extension was given too much extensibility when it +* was written, so parsing the normal case is a bit complex. +*/ + size_t len; + if (extension_len <= 2) goto abort; - } + /* Extract the length of the supplied list of names. */ + len = (*extension_data++) << 8; + len |= *extension_data++; + if (len + 2 != extension_len) + goto abort; + /* +* The list in practice only has a single element, so we only consider +* the first one. +*/ + if (len == 0 || *extension_data++ != TLSEXT_NAMETYPE_host_name) + goto abort; + extension_len = len - 1; + /* Now we can finally pull out the byte array with the actual hostname. */ + if (extension_len <= 2) + goto abort; + len = (*extension_data++) << 8; + len |= *extension_data++; + if (len == 0 || len + 2 > extension_len || len > TLSEXT_MAXLEN_host_name + || memchr(extension_data, 0, len) != NULL) + goto abort; + servername = extension_data; + servername_len = len; } else { /* without SNI extension, is the default_ctx (need SSL_TLSEXT_ERR_NOACK) */ if (!s->strict_sni) { - ssl_sock_switchctx_set(ctx->ssl, s->default_ctx); + ssl_sock_switchctx_set(ssl, s->default_ctx); return 1; } goto abort; @@ -2016,21 +2023,19 @@ static int ssl_sock_switchctx_cbk(const
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
Hi Olivier, Great to see a version of more ‘secure’ 0-RTT implementation. > Le 2 oct. 2017 à 17:18, Olivier Houcharda écrit : > > Hi, > > The attached patches add experimental support for 0-RTT with OpenSSL 1.1.1 > They are based on Emmanuel's previous patches, so I'm submitting them again, > updated to reflect the changes in OpenSSL API, and with a few fixes. > To allow the use of early data, one has to explicitely add "allow-0rtt" to > its bind line. If early data are provided by the client, a > "Early-Data: 1" header will be added, to let the origin server know that. > > Because early data have security implications, a new sample fetch was added, > "ssl_fc_has_early", a boolean that will be evaluated to true if early data > were provided, as well as new action, "wait-for-handshake", which will make > haproxy wait for the completion of the SSL handshake before processing the > request. After the handshake, early data are considered as normal data, and > they won't be reported to the origin server. > > As usual, bugs are to be expected, and any review and/or test will be > appreciated. > I have tested the experimental version of 0-RTT few months ago with BoringSSL and the option it’s a great candidate to per-certificat parameter. I attach the patch to show howto set it (without BC_SSL_O_* flag). I hope to be able to review your work in more detail. ++ Manu early_data.diff Description: Binary data
Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1
Hi Igor, On Tue, Oct 03, 2017 at 12:06:05AM +0800, Igor Pav wrote: > It's excited, does server line(client side) support 0-rtt? > Unfortunately, it does not yet. I'm investigating adding it. Regards, Olivier > On Mon, Oct 2, 2017 at 11:18 PM, Olivier Houchard> wrote: > > Hi, > > > > The attached patches add experimental support for 0-RTT with OpenSSL 1.1.1 > > They are based on Emmanuel's previous patches, so I'm submitting them again, > > updated to reflect the changes in OpenSSL API, and with a few fixes. > > To allow the use of early data, one has to explicitely add "allow-0rtt" to > > its bind line. If early data are provided by the client, a > > "Early-Data: 1" header will be added, to let the origin server know that. > > > > Because early data have security implications, a new sample fetch was added, > > "ssl_fc_has_early", a boolean that will be evaluated to true if early data > > were provided, as well as new action, "wait-for-handshake", which will make > > haproxy wait for the completion of the SSL handshake before processing the > > request. After the handshake, early data are considered as normal data, and > > they won't be reported to the origin server. > > > > As usual, bugs are to be expected, and any review and/or test will be > > appreciated. > > > > Regards, > > > > Olivier >