konevsa/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
haproxy/reg-tests/ssl/ssl_errors.vtc
Remi Tricot-Le Breton 74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs 
Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.
2021-08-19 23:26:05 +02:00

259 lines
8.7 KiB
Plaintext
Raw Blame History

#REGTEST_TYPE=broken
# This reg-test checks that the connection and SSL sample fetches related to
# errors are functioning properly. It also tests the proper behaviour of the
# default HTTPS log format and of the log-error-via-logformat option which enables
# or disables the output of a special error message in case of connection
# failure (otherwise a line following the configured log-format is output).
#
# It works by sending request through three different paths, one using a custom
# log-format line that contains the connection error and SSL handshake error
# sample fetches, one using the default HTTPS log-format and one using the
# legacy error log format.
#
# The output log lines are caught by syslog blocks (one for each path) and
# compared to an expected format.
# Since the syslog is not by design synchronized with the Varnish clients and
# servers, synchronization is achieved through barriers, which ensure that
# syslog messages arrive in the right order.
#
# In order to ensure that the log line raised in case of connection error if
# the log-error-via-logformat option is disabled still follows the
# log-separate-error option, the log lines raised by the https_fmt_lst listener
# will be sent to two separate syslog servers.
#
varnishtest "Test the connection and SSL error fetches."
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev2)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature cmd "command -v socat"
feature ignore_unknown_macro
server s1 -repeat 3 {
rxreq
txresp
} -start
barrier b1 cond 4 -cyclic
syslog Slg_cust_fmt -level info {
recv
expect ~ ".*conn_status:\"0:Success\" hsk_err:\"0:-\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
barrier b1 sync
recv
expect ~ ".*conn_status:\"30:SSL client CA chain cannot be verified\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
barrier b1 sync
recv
expect ~ ".*conn_status:\"31:SSL client certificate not trusted\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
barrier b1 sync
# In case of an error occuring before the certificate verification process,
# the client certificate chain is never parsed and verified so we can't
# have information about the client's certificate.
recv
expect ~ ".*conn_status:\"34:SSL handshake failure\" hsk_err:\"337678529:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher\" CN=\"\",serial=-,hash=-"
} -start
syslog Slg_https_fmt -level info {
recv
expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.3/TLS_AES_256_GCM_SHA384"
barrier b1 sync
} -start
syslog Slg_https_fmt_err -level info {
recv
expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*30/000000001417C086/0/2 TLSv1.3/TLS_AES_256_GCM_SHA384"
barrier b1 sync
recv
expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*31/000000001417C086/20/0 TLSv1.3/TLS_AES_256_GCM_SHA384"
barrier b1 sync
recv
expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*34/00000000142090C1/0/0 TLSv1.3/\\(NONE\\)"
} -start
syslog Slg_logconnerror -level info {
recv
expect ~ ".*logconnerror_ssl_lst~ logconnerror_ssl_lst/s1"
barrier b1 sync
recv
expect ~ ".*logconnerror_ssl_lst/1: SSL client CA chain cannot be verified"
barrier b1 sync
recv
expect ~ ".*logconnerror_ssl_lst/1: SSL client certificate not trusted"
barrier b1 sync
recv
expect ~ ".*logconnerror_ssl_lst/1: SSL handshake failure"
} -start
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
timeout connect 100ms
timeout client 1s
timeout server 1s
retries 0
listen clear_lst
bind "fd@${clearlst}"
default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse
balance roundrobin
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
server logconnerror "${tmpdir}/logconnerror_ssl.sock"
listen clear_wrong_ciphers_lst
bind "fd@${wrongcipherslst}"
default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse ciphersuites "TLS_AES_128_GCM_SHA256"
balance roundrobin
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
server logconnerror "${tmpdir}/logconnerror_ssl.sock"
listen cust_logfmt_ssl_lst
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
option log-error-via-logformat
mode http
log-format "conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_hsk_err]:%[ssl_fc_hsk_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
server s1 ${s1_addr}:${s1_port}
listen https_logfmt_ssl_lst
log ${Slg_https_fmt_addr}:${Slg_https_fmt_port} local0 info
log ${Slg_https_fmt_err_addr}:${Slg_https_fmt_err_port} local0 err info
option log-error-via-logformat
option log-separate-errors
mode http
option httpslog
bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
server s1 ${s1_addr}:${s1_port}
listen logconnerror_ssl_lst
log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info
mode http
option httplog
bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
server s1 ${s1_addr}:${s1_port}
} -start
# The three following requests should all succeed
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run
client c2 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run
client c3 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run
barrier b1 sync
# Change the root CA in the frontends
shell {
printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
}
client c4 -connect ${h1_clearlst_sock} {
txreq
} -run
client c5 -connect ${h1_clearlst_sock} {
txreq
} -run
client c6 -connect ${h1_clearlst_sock} {
txreq
} -run
barrier b1 sync
# Restore the root CA
shell {
printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
}
# Change the intermediate CA in the frontends
shell {
printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
}
client c7 -connect ${h1_clearlst_sock} {
txreq
} -run
client c8 -connect ${h1_clearlst_sock} {
txreq
} -run
client c9 -connect ${h1_clearlst_sock} {
txreq
} -run
barrier b1 sync
# Restore the intermediate CA in the frontends
shell {
printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
}
# "No shared cipher" errors
client c10 -connect ${h1_wrongcipherslst_sock} {
txreq
} -run
client c11 -connect ${h1_wrongcipherslst_sock} {
txreq
} -run
client c12 -connect ${h1_wrongcipherslst_sock} {
txreq
} -run
syslog Slg_cust_fmt -wait
syslog Slg_https_fmt -wait
syslog Slg_https_fmt_err -wait
syslog Slg_logconnerror -wait
Reference in New Issue View Git Blame Copy Permalink