RE: Randomly added byte in GET request line with HAProxy 1.5 + OpenSSL
Hi Holger, sounds like a tricky issue ... a few questions here: - has the Windows 7 box all the latest patches from MS? - any reason not to use openssl1.0.1e? - any security software (suites, software firewalls, anti-virus) which may intercept the SSL/TLS session (basically: do you see your real certificate in the browser or do you see a certificate of a security product)? - could you reproduce this with a self-signed certificate you *don't* use in production (so that the private key can be disclosed for troubleshooting), tcpdump the ssl session and provide the capture, including the private server certificate? Thanks, Lukas
Re: Randomly added byte in GET request line with HAProxy 1.5 + OpenSSL
Hi Lukas, Lukas Tribus wrote: sounds like a tricky issue ... indeed :) - has the Windows 7 box all the latest patches from MS? Yes. - any reason not to use openssl1.0.1e? I couldn't get it to compile, or in fact, I could compile it, but it would break at the `make test` step and I hadn't yet found time to get to the bottom of this. - any security software (suites, software firewalls, anti-virus) which may intercept the SSL/TLS session (basically: do you see your real certificate in the browser or do you see a certificate of a security product)? There is a simple iptables on the box. By policy, we don't deploy any magic security snake oil, so no, nothing of that kind between the client and HAProxy. The browser is talking directly to HAProxy. - could you reproduce this with a self-signed certificate you *don't* use in production (so that the private key can be disclosed for troubleshooting), tcpdump the ssl session and provide the capture, including the private server certificate? I'll have to reconstruct this on a local VM to anonymize the data a bit. I'll get back to you as soon as possible. Thanks for your support. --Holger
RE: Randomly added byte in GET request line with HAProxy 1.5 + OpenSSL
Hi Holger, There is a simple iptables on the box. By policy, we don't deploy any magic security snake oil I didn't mean the server or intermediate devices, I meant directly on the windows 7 client: *windows* software security solutions, which intercept SSL/TLS traffic on your local windows machine before they even touch the wire; there are a lot of those products intercepting outgoing https traffic by installing their own certificate in your IE/schannel certificate store. When you surf on your HTTPS site from IE 10 you can view the security report by clicking on the lock and with show certificate you see all the details about that certificate. When those things like sha1 fingerprint, serial, valid up/until dates and other things match with the certificate you installed on your server, then fine. If on the other hand you see Kaspersky, Avast or other names which have nothing to do with your certificate or CA, then probably one of those security products (or a MITM ...) is intercepting your HTTPS traffic, which *may* be causing issues if that software is buggy. I couldn't get it to compile, or in fact, I could compile it, but it would break at the `make test` step and I hadn't yet found time to get to the bottom of this. Do you run make depend also? openssl ask me that after config when I use your parameters: Since you've disabled or enabled at least one algorithm, you need to do the following before building: make depend I'll have to reconstruct this on a local VM to anonymize the data a bit. I'll get back to you as soon as possible. It is kind of a last resort option, perhaps someone has a better idea ... Regards, Lukas
