PPA: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1841936-haproxy-
openssl
Tested:
a) load dh params from file
b) Test default (without config) size
c) Test config with higher size
Remember, even the broken default config said in the log:
WARNING] 295/095512 (19391) : Setting tune.ssl.defau
We'd need several cleanups:
Cleanup:
5b673a658fb1a0a42dbe948b413fceeff1af0642
82b00a11b298a497b4ca93a3f3bf3c7f1399ebc2
b1e3ee6f214d82ebe98140f57b4c47d88084
And more from there for context.
They are all meant to be no-ops changing the retval handling.
It seems less of an impact to backport the
** Changed in: haproxy (Ubuntu Bionic)
Assignee: Ubuntu Security Team (ubuntu-security) => Christian Ehrhardt
(paelzer)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild h
** Changed in: haproxy
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild haproxy with openssl 1.1.1 will change features (bionic)
To manage not
Might need some other cleanups or fixes from [2]. That needs evaluation
for the SRU policy.
[2]: http://git.haproxy.org/?p=haproxy-1.8.git;a=shortlog
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://
The fix was now backported to 1.8 (Thanks Upstream!) and we can start
re-preparing an SRU of this.
http://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=19dd0431b06019d5cbd253662822b15412f67144
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to U
Test with that patch worked, we now have to wait until upstream really
accepts and until they backport it to 1.8.x for us to be able to pick it
up.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Experimental patch to test:
https://github.com/haproxy/haproxy/issues/324#issuecomment-542300776
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild haproxy with openssl 1.1.1 will
** Changed in: haproxy
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild haproxy with openssl 1.1.1 will change features (bionic)
To manage notifica
After further IRC discussion reported upstream in
https://github.com/haproxy/haproxy/issues/324 as we'd want to either
know how to config and/or a fix to be able to get the key size down when
built against openssl 1.1.1
** Bug watch added: github.com/haproxy/haproxy/issues #324
https://github.c
>From upstream:
[15:47] cpaelzer: we have investigated a bit and think there is an
problem with how haproxy handles dhparam < 2048 with openssl 1.1.1. This will
be further looked at and hopefuly we find a solution to allow 1024 dhparam.
thanks for the report.
I'd say we call this verification
Hmm ... "the default DH parameters that are used during the SSL/TLS handshake
when
ephemeral Diffie-Hellman (DHE) key exchange is used" so the documentation
agrees that this is for the DHE.
But as mentioned so far I fail to put something in there that makes
testssl to report 1024 bit.
./testssl
At first it rejected my config :
Oct 14 10:02:38 b haproxy[27966]: [ALERT] 286/100238 (27966) : parsing
[/etc/haproxy/haproxy.cfg:22] : 'ssl-dh-param-file': unable to load DH
parameters from file .
Oct 14 10:02:38 b haproxy[27966]: [ALERT] 286/100238 (27966) : Error(s) found
in configuration fil
I found this example for apache2:
SSLCipherSuite
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Which reads similar to the default haproxy config:
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+A
In [1] a workaround for those (hopefully a few) installations that need
the lower (not recommended) key size was suggested.
Again this isn't what "should be done", but what users could do if affected.
The reason not to do it is:
a) LOGJAM (CVE-2015-4000), common prime: HAProxy (1024 bits)
b) due t
** Tags added: bionic-openssl-1.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild haproxy with openssl 1.1.1 will change features (bionic)
To manage notifications about this bu
** Tags added: server-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild haproxy with openssl 1.1.1 will change features (bionic)
To manage notifications about this
Thanks a lot David for testing.
It is important that we track this down and make sure it is not introducing a
regression.
The related haproxy config would be:
"tune.ssl.default-dh-param "
Sets the maximum size of the Diffie-Hellman parameters used to generate the
ephemeral/temporary Diffie-Hellm
Assigned to ubuntu-security for their guidance (as outlined and asked in
comment #12) on the increased minimum DH key size for:
a) this particular case in haproxy
but also
b) potential openssl 1.1.1 rebuilds in general
--
You received this bug notification because you are a member of Ubuntu
Bu
I have done some preliminary testing with 1.8.8-1ubuntu0.5, and most
things look good.
However, in our case we have an old (external) client using java6 that
we sadly still need to support for a while longer. Using the connection
simulation in testssl.sh (and also ssllabs) I can see that connectio
The basic check works as expected.
Pre:
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Upgrade to proposed worked without any issue.
Post:
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
@David and maybe others could you try the version from proposed in a
real setup to be more co
The SRU team discussed this last week and we agreed that enabling TLS
1.3 is appropriate.
> [Test Case]
> * run "haproxy -vv" and check the reported TLS versions to include 1.3
I think we should additionally check during SRU verification that TLS
functionality is working correctly, both with an
Prepped the SRU Template and found a few potential tricky bits while
summarizing, I'll now bring this to the attention of the SRU Team to
make a call.
** Description changed:
+ [Impact]
+
+ * openssl 1.1.1 has been backported to Bionic for its longer
+support upstream period
+
+ * That wo
I talked with Alex of the security Team.
Here the TL;DR summary:
- security would prefer and be +1 on enabling TLSv1.3 in haproxy in Bionic
- Server team is ok as well, while it is a feature addition it seems not to
take away any
- thereby it would fall under the third section of [1] "add feat
We talked about it, and strictly speaking this could be anywhere from.
a) yay a new feature for free for just a no change rebuild
to
b) this new feature is violating the SRU policy and not allowed to happen, we
need to upload code that avoids that any coming e.g. security fix will switch
it on u
25 matches
Mail list logo
