Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-3.11] Bug 1758375: fix haproxy reload crash when processing ECDSA keys #23918

Merged
merged 1 commit into from Oct 15, 2019
Merged

[release-3.11] Bug 1758375: fix haproxy reload crash when processing ECDSA keys #23918

merged 1 commit into from Oct 15, 2019

Conversation

Miciah
Copy link
Contributor

@Miciah Miciah commented Oct 4, 2019

This is manual cherry-pick of openshift/router#39.

@openshift-ci-robot
Copy link

@Miciah: This pull request references Bugzilla bug 1758375, which is invalid:

  • expected dependent Bugzilla bug 1723400 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is MODIFIED instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1758375: fix haproxy reload crash when processing ECDSA keys

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 4, 2019
@Miciah Miciah changed the title Bug 1758375: fix haproxy reload crash when processing ECDSA keys [release-3.11] Bug 1758375: fix haproxy reload crash when processing ECDSA keys Oct 4, 2019
@Miciah Miciah force-pushed the BZ1758375-fix-haproxy-reload-crash-when-processing-ECDSA-keys branch from 1d06870 to 287c41e Compare October 4, 2019 02:03
@Miciah
Copy link
Contributor Author

Miciah commented Oct 4, 2019

Reformatted with gofmt from Go 1.10.

@ironcladlou ironcladlou mentioned this pull request Oct 7, 2019
Closed
@ironcladlou
Copy link
Contributor

@Miciah can you update this to use the cert data from openshift/router#43?

@Alveel Alveel mentioned this pull request Oct 7, 2019
Closed
@ironcladlou @Miciah
Bug 1723400: fix haproxy reload crash when processing ECDSA keys
5791c30 
With extended validation enabled, if the router detects an ECDSA private key when processing TLS data,
the sanitized key output is rendered with PEM block headers like:

    -----BEGIN ECDSA PARAMETERS-----
    -----END ECDSA PARAMETERS-----

However, OpenSSL recognizes the following headers for ECDSA keys[1]:

    -----BEGIN EC PARAMETERS-----
    -----END EC PARAMETERS-----

Consequently, when the router provides haproxy with such PEM files through
`crt-list` option, haproxy (which uses OpenSSL) fails to load the key and reload
fails.

The impact is that a Route resource containing an ECDSA key in `.spec.tls.key`
will cause haproxy reloads to crash loop, preventing any further router
processing until the problematic Route is deleted.

This patch ensures that sanitized ECDSA key output follows the OpenSSL
conventions which indirectly apply to haproxy.

[1] https://github.com/openssl/openssl/blob/master/include/openssl/pem.h#L54
@Miciah Miciah force-pushed the BZ1758375-fix-haproxy-reload-crash-when-processing-ECDSA-keys branch from 287c41e to 5791c30 Compare October 7, 2019 17:16
@Miciah
Copy link
Contributor Author

Miciah commented Oct 7, 2019

Updated with newer cert data.

@ironcladlou
Copy link
Contributor

/bugzilla refresh
/lgtm

@openshift-ci-robot openshift-ci-robot added lgtm Indicates that a PR is ready to be merged. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Oct 11, 2019
@openshift-ci-robot
Copy link

@ironcladlou: This pull request references Bugzilla bug 1758375, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

/bugzilla refresh
/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Oct 11, 2019
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ironcladlou, Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 11, 2019
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

7 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@Miciah
Copy link
Contributor Author

Miciah commented Oct 11, 2019

/hold
The Jenkins job is continuously failing on an SSH permissions issue.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 11, 2019
@Miciah
Copy link
Contributor Author

Miciah commented Oct 15, 2019

/test cmd

@Miciah
Copy link
Contributor Author

Miciah commented Oct 15, 2019

Looks like we may be past the SSH permission issue.
/test extended_clusterup
/test end_to_end
/test extended_conformance_install

@Miciah
Copy link
Contributor Author

Miciah commented Oct 15, 2019

CI looks good.
/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 15, 2019
@Miciah
Copy link
Contributor Author

Miciah commented Oct 15, 2019

/refresh

@openshift-merge-robot openshift-merge-robot merged commit 2750201 into openshift:release-3.11 Oct 15, 2019
@openshift-ci-robot
Copy link

@Miciah: All pull requests linked via external trackers have merged. Bugzilla bug 1758375 has been moved to the MODIFIED state.

In response to this:

[release-3.11] Bug 1758375: fix haproxy reload crash when processing ECDSA keys

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Alveel
Copy link

Alveel commented Jan 6, 2020

Hi, any update on this?

We'd like to use ECDSA certificates but this is stopping us from doing so 😄

@Miciah
Copy link
Contributor Author

Miciah commented Jan 6, 2020

What version of OpenShift are you using? This fix is merged and shipped in OCP 3.11.154.

@Alveel
Copy link

Alveel commented Jan 6, 2020

Huh. I was so sure I saw this issue was open, not merged. Maybe I mixed it up with another issue.

Apologies, ignore my previous comment!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knobunc knobunc Awaiting requested review from knobunc

@pweil- pweil- Awaiting requested review from pweil-

Assignees

@ironcladlou ironcladlou

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@Miciah @openshift-ci-robot @ironcladlou @openshift-bot @Alveel @openshift-merge-robot