Commit Graph

85 Commits

Author SHA1 Message Date
Willy Tarreau
68574dd492 MEDIUM: log: add the client's SNI to the default HTTPS log format
During a troublehooting it came obvious that the SNI always ought to
be logged on httpslog, as it explains errors caused by selection of
the default certificate (or failure to do so in case of strict-sni).

This expectation was also confirmed on the mailing list.

Since the field may be empty it appeared important not to leave an
empty string in the current format, so it was decided to place the
field before a '/' preceding the SSL version and ciphers, so that
in the worst case a missing field leads to a field looking like
"/TLSv1.2/AES...", though usually a missing element still results
in a "-" in logs.

This will change the log format for users who already deployed the
2.5-dev versions (hence the medium level) but no released version
was using this format yet so there's no harm for stable deployments.
The reg-test was updated to check for "-" there since we don't send
SNI in reg-tests.

Link: https://www.mail-archive.com/haproxy@formilux.org/msg41410.html
Cc: William Lallemand <wlallemand@haproxy.org>
2021-11-06 09:20:07 +01:00
Willy Tarreau
6f7497616e MEDIUM: connection: rename fc_conn_err and bc_conn_err to fc_err and bc_err
Commit 3d2093af9 ("MINOR: connection: Add a connection error code sample
fetch") added these convenient sample-fetch functions but it appears that
due to a misunderstanding the redundant "conn" part was kept in their
name, causing confusion, since "fc" already stands for "front connection".

Let's simply call them "fc_err" and "bc_err" to match all other related
ones before they appear in a final release. The VTC they appeared in were
also updated, and the alpha sort in the keywords table updated.

Cc: William Lallemand <wlallemand@haproxy.org>
2021-11-06 09:20:07 +01:00
Ilya Shipitsin
bd6b4be721 CLEANUP: assorted typo fixes in the code and comments
This is 27th iteration of typo fixes
2021-10-18 07:26:19 +02:00
William Lallemand
1d58b01316 MINOR: ssl: add ssl_fc_is_resumed to "option httpslog"
In order to trace which session were TLS resumed, add the
ssl_fc_is_resumed in the httpslog option.
2021-10-14 14:27:48 +02:00
William Lallemand
e5dfd405b3 REGTESTS: ssl: re-enable set_ssl_cert_bundle.vtc
The new "ssllib_name_startswith(OpenSSL)" command allows us to
reactivate set_ssl_cert_bundle.vtc with >= OpenSSL 1.1.1 only.
2021-10-14 11:06:16 +02:00
Remi Tricot-Le Breton
e1b61090a0 REGTESTS: ssl: Use mostly TLSv1.2 in ssl_errors test
In order for the test to run with OpenSSL 1.0.2 the test will now mostly
use TLSv1.2 and use TLS 1.3 only on some specific tests (covered by
preconditions).
2021-10-13 11:28:12 +02:00
Remi Tricot-Le Breton
d12e13a55a REGTESTS: ssl: Reenable ssl_errors test for OpenSSL only
The test is strongly dependent on the way the errors are output by the
SSL library so it is not possible to perform the same checks when using
OpenSSL or LibreSSL. It is then reenabled for OpenSSL (whatever the
version) but still disabled for LibreSSL.
This limitation is added thanks to the new ssllib_name_startswith
precondition check.
2021-10-13 11:28:11 +02:00
Remi Tricot-Le Breton
d266cdad2a REGTESTS: ssl: Fix ssl_errors test for OpenSSL v3
The OpenSSL error codes for the same errors are not consistent between
OpenSSL versions. The ssl_errors test needs to be modified to only take
into account a fixed part of those error codes.
This patch focuses on the reason part of the error code by applying a
mask on the error code (whose size varies depending on the lib version).
2021-10-13 11:28:10 +02:00
Remi Tricot-Le Breton
1ac65f8668 REGTESTS: ssl: Fix references to removed option in test description
The log-error-via-logformat option was removed in commit
3d6350e108 and was replaced by a dedicated
error-log-format option. The references to this option need to be
removed from the test's description.
2021-10-13 11:28:07 +02:00
William Lallemand
f542941f71 REGTESTS: ssl: wrong feature cmd in show_ssl_ocspresponse.vtc
The "feature cmd" needs to be separated in 2 parts to check the openssl
command.
2021-09-30 18:45:18 +02:00
William Lallemand
2655f2ba33 REGTESTS: ssl: show_ssl_ocspresponse w/ freebsd won't use base64
The reg-test show_ssl_ocspresponse.vtc won't use the "base64" binary on
freebsd, replace it by a "openssl base64" which does the same thing.
2021-09-30 17:58:58 +02:00
William Lallemand
8d264387c3 REGTESTS: ssl: enable ssl_crt-list_filters.vtc again
ssl_crt-list_filters.vtc was deactivated because they were not compatible with
previous version of OpenSSL and it was not possible to
filter by versions.

Activate it again with a openssl_version_atleast(1.1.1)
check.
2021-09-30 15:39:59 +02:00
William Lallemand
2f52fdb52e REGTESTS: ssl: enable show_ssl_ocspresponse.vtc again
Since we disabled boringssl from the CI we can enable this test again.
2021-09-30 15:28:30 +02:00
Remi Tricot-Le Breton
1fe0fad88b MINOR: ssl: Rename ssl_bc_hsk_err to ssl_bc_err
The ssl_bc_hsk_err sample fetch will need to raise more errors than only
handshake related ones hence its renaming to a more generic ssl_bc_err.
This patch is required because some handshake failures that should have
been caught by this fetch (verify error on the server side for instance)
were missed. This is caused by a change in TLS1.3 in which the
'Finished' state on the client is reached before its certificate is sent
(and verified) on the server side (see the "Protocol Overview" part of
RFC 8446).
This means that the SSL_do_handshake call is finished long before the
server can verify and potentially reject the client certificate.

The ssl_bc_hsk_err will then need to be expanded to catch other types of
errors.

This change is also applied to the frontend fetches (ssl_fc_hsk_err
becomes ssl_fc_err) and to their string counterparts.
2021-09-30 11:04:35 +02:00
Remi Tricot-Le Breton
b061fb31ab REGTESTS: ssl: Add tests for bc_conn_err and ssl_bc_hsk_err sample fetches
Those fetches are used to identify connection errors and SSL handshake
errors on the backend side of a connection. They can for instance be
used in a log-format line as in the regtest.
2021-09-01 22:55:56 +02:00
Remi Tricot-Le Breton
fe21fe76bd MINOR: log: Add new "error-log-format" option
This option can be used to define a specific log format that will be
used in case of error, timeout, connection failure on a frontend... It
will be used for any log line concerned by the log-separate-errors
option. It will also replace the format of specific error messages
decribed in section 8.2.6.
If no "error-log-format" is defined, the legacy error messages are still
emitted and the other error logs keep using the regular log-format.
2021-08-31 12:13:08 +02:00
Marcin Deranek
310a260e4a MEDIUM: config: Deprecate tune.ssl.capture-cipherlist-size
Deprecate tune.ssl.capture-cipherlist-size in favor of
tune.ssl.capture-buffer-size which better describes the purpose of the
setting.
2021-08-26 19:52:04 +02:00
Tim Duesterhus
cbad112a81 REGTESTS: Remove REQUIRE_VERSION=1.5 from all tests
HAProxy 1.5 is EOL, thus this always matches.

1.6 / 1.7 were already removed in:
d8be0018fe (1.6)
1b095cac94 (1.7)
2021-08-25 21:38:38 +02:00
Remi Tricot-Le Breton
74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs
Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.
2021-08-19 23:26:05 +02:00
William Lallemand
56f1f75715 MINOR: log: rename 'dontloglegacyconnerr' to 'log-error-via-logformat'
Rename the 'dontloglegacyconnerr' option to 'log-error-via-logformat'
which is much more self-explanatory and readable.

Note: only legacy keywords don't use hyphens, it is recommended to
separate words with them in new keywords.
2021-08-02 10:42:42 +02:00
William Lallemand
4f59c67c4f REGTESTS: ssl: ssl_errors.vtc does not work with old openssl version
Disable the new ssl_errors.vtc reg-tests because in does not work
correctly on the CI since it requires a version of OpenSSL which is
compatible with TLSv1.3 and the ciphersuites keyword.
2021-07-29 16:00:24 +02:00
Remi Tricot-Le Breton
54f63836d2 REGTESTS: ssl: Add tests for the connection and SSL error fetches
This reg-test checks that the connection and SSL sample fetches related
to errors are functioning properly. It also tests the proper behaviour
of the default HTTPS log format and of the log-legacy-conn-error option
which enables or disables the output of a special error message in case
of connection failure (otherwise a line following the configured
log-format is output).
2021-07-29 15:40:45 +02:00
Remi Tricot-Le Breton
0498fa4059 BUG/MINOR: ssl: Default-server configuration ignored by server
When a default-server line specified a client certificate to use, the
frontend would not take it into account and create an empty SSL context,
which would raise an error on the backend side ("peer did not return a
certificate").

This bug was introduced by d817dc733e in
which the SSL contexts are created earlier than before (during the
default-server line parsing) without setting it in the corresponding
server structures. It then made the server create an empty SSL context
in ssl_sock_prepare_srv_ctx because it thought it needed one.

It was raised on redmine, in Bug #3906.

It can be backported to 2.4.
2021-07-13 18:35:38 +02:00
Tim Duesterhus
4ee192f072 REGTESTS: Replace REQUIRE_BINARIES with 'command -v'
This migrates the tests to the native `feature cmd` functionality of VTest.
2021-06-17 14:59:55 +02:00
Tim Duesterhus
c9570483b0 REGTESTS: Replace REQUIRE_OPTIONS with 'haproxy -cc' for 2.5+ tests
This migrates the tests for HAProxy versions that support '-cc' to the native
VTest functionality.
2021-06-17 14:59:55 +02:00
Tim Duesterhus
5efc48dcf1 REGTESTS: Replace REQUIRE_VERSION=2.5 with 'haproxy -cc'
This is safe, because running `haproxy -cc 'version_atleast(2.5-dev0)'` on
HAProxy 2.4 will also result in an exit code of 1.
2021-06-17 14:59:55 +02:00
Tim Duesterhus
d8be0018fe REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests
HAProxy 1.6 is EOL, thus this always matches.
2021-06-11 19:21:28 +02:00
William Lallemand
0061323114 REGTESTS: ssl: show_ssl_ocspresponce.vtc is broken with BoringSSL
The `show ssl ocsp-response` feature is not available with BoringSSL,
but we don't have a way to disable this feature only with boringSSL on
the CI. Disable the reg-test until we do.
2021-06-11 10:03:08 +02:00
Remi Tricot-Le Breton
2a77c62c18 REGTESTS: ssl: Add "show ssl ocsp-response" test
This file adds tests for the new "show ssl ocsp-response" command and
the new "show ssl cert foo.pem.ocsp" and "show ssl cert *foo.pem.ocsp"
special cases. They are all used to display information about an OCSP
response, committed or not.
2021-06-10 16:44:11 +02:00
Tim Duesterhus
a9334df5a9 CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests
The legacy HTTP subsystem has been removed. HTX is always enabled.
2021-06-04 15:41:21 +02:00
Remi Tricot-Le Breton
a3b2e099c2 REGTESTS: ssl: Add "set/commit ssl crl-file" test
This file adds tests for the new "set ssl crl-file" and "commit ssl
crl-file" commands which allow the hot update of CRL file through CLI
commands.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton
f615070bcc REGTESTS: ssl: Add "new/del ssl crl-file" tests
This vtc tests the "new ssl crl-file" which allows to create a new empty
CRL file that can then be set through a "set+commit ssl crl-file"
command pair. It also tests the "del ssl crl-file" command which allows
to delete an unused CRL file.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton
efcc5b28d1 REGTESTS: ssl: Add "new/del ssl ca-file" tests
This vtc tests the "new ssl ca-file" which allows to create a new empty
CA file that can then be set through a "set+commit ssl ca-file" command
pair. It also tests the "del ssl ca-file" command which allows to delete
an unused CA file.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton
2a22e16cb8 MEDIUM: ssl: Add "show ssl ca-file" CLI command
This patch adds the "show ssl ca-file [<cafile>[:index]]" CLI command.
This command can be used to display the list of all the known CA files
when no specific file name is specified, or to display the details of a
specific CA file when a name is given. If an index is given as well, the
command will only display the certificate having the specified index in
the CA file (if it exists).
The details displayed for each certificate are the same as the ones
showed when using the "show ssl cert" command on a single certificate.

This fixes a subpart of GitHub issue #1057.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton
d5fd09d339 MINOR: ssl: Add "abort ssl ca-file" CLI command
The "abort" command aborts an ongoing transaction started by a "set ssl
ca-file" command. Since the updated CA file data is not pushed into the
cafile tree until a "commit ssl ca-file" call is performed, the abort
command simply clears the new cafile_entry that was stored in the
cafile_transaction.

This fixes a subpart of GitHub issue #1057.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton
2db6101ed7 REGTESTS: ssl: Add new ca-file update tests
This vtc tests the "set ssl ca-file" and "commit ssl ca-file" cli
commands. Those commands allow the hot update of CA files through cli
commands.
2021-05-17 10:50:24 +02:00
William Lallemand
a1e832b867 REGTESTS: ssl: mark set_ssl_cert_bundle.vtc as broken
set_ssl_cert_bundle.vtc requires at least OpenSSL 1.1.0 and we don't
have any way to check this when launching the reg-tests suite.

Mark the reg-test as broken since it will fails on old versions of
openSSL and libreSSL.
2021-04-02 17:13:55 +02:00
William Lallemand
35201833aa REGTESTS: ssl: "set ssl cert" and multi-certificates bundle
This test loads a configuration which uses multi-certificates bundle and
tries to change them over the CLI.

Could be backported as far as 2.2, however the 2.2 version must be
adapted to commit the bundle and not each certificate individually.
2021-04-02 15:47:17 +02:00
Remi Tricot-Le Breton
bc2c386992 BUG/MINOR: ssl: Prevent removal of crt-list line if the instance is a default one
If the first active line of a crt-list file is also the first mentioned
certificate of a frontend that does not have the strict-sni option
enabled, then its certificate will be used as the default one. We then
do not want this instance to be removable since it would make a frontend
lose its default certificate.
Considering that a crt-list file can be used by multiple frontends, and
that its first mentioned certificate can be used as default certificate
for only a subset of those frontends, we do not want the line to be
removable for some frontends and not the others. So if any of the ckch
instances corresponding to a crt-list line is a default instance, the
removal of the crt-list line will be forbidden.

It can be backported as far as 2.2.
2021-03-26 13:06:39 +01:00
Remi Tricot-Le Breton
8218aed90e BUG/MINOR: ssl: Fix update of default certificate
The default SSL_CTX used by a specific frontend is the one of the first
ckch instance created for this frontend. If this instance has SNIs, then
the SSL context is linked to the instance through the list of SNIs
contained in it. If the instance does not have any SNIs though, then the
SSL_CTX is only referenced by the bind_conf structure and the instance
itself has no link to it.
When trying to update a certificate used by the default instance through
a cli command, a new version of the default instance was rebuilt but the
default SSL context referenced in the bind_conf structure would not be
changed, resulting in a buggy behavior in which depending on the SNI
used by the client, he could either use the new version of the updated
certificate or the original one.

This patch adds a reference to the default SSL context in the default
ckch instances so that it can be hot swapped during a certificate
update.

This should fix GitHub issue #1143.

It can be backported as far as 2.2.
2021-03-26 13:06:29 +01:00
Remi Tricot-Le Breton
fb00f31af4 BUG/MINOR: ssl: Prevent disk access when using "add ssl crt-list"
If an unknown CA file was first mentioned in an "add ssl crt-list" CLI
command, it would result in a call to X509_STORE_load_locations which
performs a disk access which is forbidden during runtime. The same would
happen if a "ca-verify-file" or "crl-file" was specified. This was due
to the fact that the crt-list file parsing and the crt-list related CLI
commands parsing use the same functions.
The patch simply adds a new parameter to all the ssl_bind parsing
functions so that they know if the call is made during init or by the
CLI, and the ssl_store_load_locations function can then reject any new
cafile_entry creation coming from a CLI call.

It can be backported as far as 2.2.
2021-03-23 19:29:46 +01:00
William Lallemand
e0de0a6b32 MINOR: ssl/cli: flush the server session cache upon 'commit ssl cert'
Flush the SSL session cache when updating a certificate which is used on a
server line. This prevent connections to be established with a cached
session which was using the previous SSL_CTX.

This patch also replace the ha_barrier with a thread_isolate() since there
are more operations to do. The reg-test was also updated to remove the
'no-ssl-reuse' keyword which is now uneeded.
2021-02-03 18:51:01 +01:00
William Lallemand
8695ce0bae BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store
The "abort ssl cert" command is buggy and removes the current ckch store,
and instances, leading to SNI removal. It must only removes the new one.

This patch also adds a check in set_ssl_cert.vtc and
set_ssl_server_cert.vtc.

Must be backported as far as 2.2.
2021-02-01 17:58:21 +01:00
William Lallemand
ff97edac3e REGTESTS: set_ssl_server_cert: cleanup the SSL caching option
Replace the tune.ssl.cachesize 0 and the no-tls-tickets by a
no-ssl-reuse option on the server line.
2021-02-01 14:57:31 +01:00
William Lallemand
a870a9cfdb REGTESTS: set_ssl_server_cert.vtc: remove SSL caching and set as working
In a previous commit this test was disabled because I though the
feature was broken, but in fact this is the test which is broken.

Indeed the connection between the server and the client was not
renegociated and was using the SSL cache or a ticket. To be work
correctly these 2 features must be disabled or a new connection must be
established after the ticket timeout, which is too long for a regtest.

Also a "nbthread 1" was added as it was easier to reproduce the problem
with it.
2021-02-01 14:50:17 +01:00
William Lallemand
e814321287 REGTESTS: set_ssl_server_cert.vtc: set as broken
It looks like this test is broken with a low nbthread value (1 for
example). Disable this test in the CI until the problem is solved.
2021-01-28 18:08:36 +01:00
William Lallemand
7b79424c05 REGTESTS: set_ssl_server_cert.vtc: check the sha1 from the server
Check the sha1 from the server side with the sample ssl_c_sha1 sample
fetch in order to evict a possible problem with "show/set ssl cert".
2021-01-28 16:00:22 +01:00
William Lallemand
7e69637ac5 REGTESTS: set_ssl_server_cert.vtc: check the Sha1 Fingerprint
Check the sha1 fingerprint once the certificate was changed with "show
ssl cert". This way the test is more reliable.
2021-01-28 15:11:59 +01:00
William Lallemand
8788c6ff13 REGTESTS: set_ssl_server_cert.vtc: remove the abort command
Temporarily remove the abort command as it seems to cause problems when
trying to do a "show ssl cert" after it.
2021-01-28 15:04:03 +01:00
Remi Tricot-Le Breton
f3eedfe195 MEDIUM: ssl: Enable backend certificate hot update
When trying to update a backend certificate, we should find a
server-side ckch instance thanks to which we can rebuild a new ssl
context and a new ckch instance that replace the previous ones in the
server structure. This way any new ssl session will be built out of the
new ssl context and the newly updated certificate.

This resolves a subpart of GitHub issue #427 (the certificate part)
2021-01-26 15:19:36 +01:00