Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL "Verify Optional" certificate authentication stops working and serves up pages without certificate. #248

Closed
mister2d opened this issue Sep 2, 2019 · 1 comment

Comments

@mister2d
Copy link

commented Sep 2, 2019

Output of haproxy -vv and uname -a

/ # haproxy -vv
HA-Proxy version 2.0.5 2019/08/16 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1c  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c  28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.33 2019-04-16
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE     mux=H2
              h2 : mode=HTTP       side=FE        mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :
        prometheus-exporter

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace
/ # uname -a
Linux 5c7777e1ea30 4.12.14-lp150.12.67-default #1 SMP Tue Jul 9 08:18:26 UTC 2019 (b610084) x86_64 Linux

What's the configuration?

global
  ssl-default-bind-options ssl-min-ver TLSv1.2
  tune.ssl.default-dh-param 2048
  nbproc 1
  nbthread 1

defaults
  mode http
  timeout connect 5s
  timeout client 5s
  timeout server 5s

frontend myfrontend
  bind :443 ssl crt /certs/cert.pem verify optional ca-file /certs/ca.pem
  bind :80
  acl host_haproxy hdr(host) -i localhost.localdomain
  http-request deny if host_haproxy !{ ssl_fc_has_crt } || !{ ssl_c_verify 0 }
  default_backend apache

backend apache
  server apache apache:80 check

Steps to reproduce the behavior

  1. Start Apache.
  2. Start HAProxy.
  3. Run curl -k https://localhost.localdomain in a loop and the HTTP response is 403 Forbidden every single time.
  4. Open browser on another client against https://localhost.localdomain and receive 403 Forbidden.
  5. Run curl --cacert ./ca.pem --key ./key.pem --cert ./cert.pem https://localhost.localdomain -- the web page gets served successfully with "It works!" HTML page.
  6. Run curl -k https://localhost.localdomain and the web page gets successfully served.
  7. Open browser on another client against https://localhost.localdomain and the web page gets successfully served.
  8. Issue restart of HAProxy and cycle starts over again.

Actual behavior

HAProxy is allowing subsequent get requests from multiple clients after a client offers up a certificate for authentication.

Expected behavior

I expect HAProxy to block access to the apache website every time a client certificate is not presented.

Do you have any idea what may have caused this?

No.

Do you have an idea how to solve the issue?

No.

@capflam

This comment has been minimized.

Copy link
Contributor

commented Sep 13, 2019

FYI, this issue is now fixed (5762a0d) and backported to 2.0. Thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.