Project

General

Profile

Actions

Bug #11135

open

HAproxy OCSP reponse crontab bug

Added by Stéphane Lapie over 3 years ago. Updated over 2 years ago.

Status:
Feedback
Priority:
High
Assignee:
Viktor Gurov
Category:
haproxy
Target version:
-
Start date:
12/06/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.5.x
Affected Plus Version:
Affected Architecture:
All

Description

Context : I have been using pfSense 2.5.0 development snapshots to get TLS 1.3 support.

I have noticed that the OCSP job for fetching responses doesn't work as is, because some arguments are not passed properly (maybe a quirk of OpenSSL 1.1.1 ?) :

--- /tmp/zshQe3qFR    2020-12-06 16:52:48.594109038 +0900
+++ /tmp/zshaxINMU    2020-12-06 16:52:48.802102959 +0900
@@ -1412,21 +1412,21 @@
 function haproxy_updateocsp_one($socketupdate, $filename, $name) {
     if (file_exists("{$filename}.ocsp")) {
         // If the .ocsp file exists we want to use ocsp
         syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. ");
         $ocsp_url = haproxy_getocspurl($filename);
         $ocsp_host = parse_url($ocsp_url, PHP_URL_HOST);
         if (empty($ocsp_url)) {
             // If cert does not have a ocsp_uri, it cannot be updated..
             syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
         } else {
-            $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+            $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host={$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
             if ($socketupdate) {
                 $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
                 $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");
                 if ($r[0] == "OCSP Response updated!\n") {
                     syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval);
                 } else {
                     syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  {$name}");
                 }
             } else {
                 syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval);

If I do not apply this fix, I get :
  • An error on HAproxy configuration reloading with empty OCSP responses (which, when checking under /var/etc/haproxy are all empty *.ocsp files) :
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    
  • An error with the cron job (/etc/rc.haproxy_ocsp.sh) doing the daily reload :
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    

The above code before fix generates this command :

# for filename in /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url" 
-header Host "$ocsp_host" ; done
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.


My fix (passing the header as "Host=$ocsp_host" yields this output :
  • Test shell script :
    # for filename in /var/etc/haproxy/*.pem /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url" -header Host="$ocsp_host" ; done
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  4 19:00:00 2020 GMT
        Next Update: Dec 11 19:00:00 2020 GMT
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  5 08:00:00 2020 GMT
        Next Update: Dec 12 08:00:00 2020 GMT
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  5 10:00:00 2020 GMT
        Next Update: Dec 12 10:00:00 2020 GMT
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  5 11:00:00 2020 GMT
        Next Update: Dec 12 11:00:00 2020 GMT
    
  • Cron job :
    Dec  6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:41 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT
    Dec  6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT
    Dec  6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 08:00:00 2020 GMT
    Dec  6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 11:00:00 2020 GMT
    Dec  6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:43 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 10:00:00 2020 GMT
    
  • HAproxy reload (which also forces an OCSP reload), doesn't display the previous error anymore
Actions #1

Updated by Stéphane Lapie over 3 years ago

Confirmed that the previous code did work with an older version :
  • Old OpenSSL :
    $ ./bin/openssl.FreeBSD.amd64 version
    OpenSSL 1.0.2-chacha (1.0.2k-dev)
    
    • Old syntax : Works.
      $ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host ocsp.int-x3.letsencrypt.org
      cert.pem: good
          This Update: Dec  3 19:00:00 2020 GMT
          Next Update: Dec 10 19:00:00 2020 GMT
      
    • New Syntax : Fails !
      $ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host=ocsp.int-x3.letsencrypt.org
      OCSP utility
      Usage ocsp [options]
      where options are
      [...]
      
  • New OpenSSL (current in pfSense 2.5) :
    $ openssl version
    OpenSSL 1.1.1h-freebsd  22 Sep 2020
    
    • Old syntax : Fails ! (The bug I noticed)
      $ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host ocsp.int-x3.letsencrypt.org
      Missing = in header key=value
      ocsp: Use -help for summary.
      
    • New syntax : Works.
      $ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host=ocsp.int-x3.letsencrypt.org
      cert.pem: good
          This Update: Dec  3 19:00:00 2020 GMT
          Next Update: Dec 10 19:00:00 2020 GMT
      

This is bad... It means the proper fix is to check either the version of OpenSSL, or of FreeBSD/pfSense beforehand :(

Actions #2

Updated by Stéphane Lapie over 3 years ago

A more proper fix would be :

--- /usr/local/pkg/haproxy/haproxy.inc.old    2020-12-06 17:40:35.435898585 +0900
+++ /usr/local/pkg/haproxy/haproxy.inc    2020-12-06 17:40:35.643894088 +0900
@@ -1419,7 +1419,11 @@
             // If cert does not have a ocsp_uri, it cannot be updated..
             syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
         } else {
-            $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+            if (haproxy_utils::$pf_version < 2.5) { // Required for OpenSSL 1.1.1
+                $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+            } else {
+                $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host={$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+            }
             if ($socketupdate) {
                 $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
                 $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");

Actions #4

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Renato Botelho about 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #6

Updated by Renato Botelho about 3 years ago

  • Target version deleted (2.5.0)

Do not set target version on package tickets

Actions #7

Updated by Christopher Sutcliff about 3 years ago

Can this same fix be applied to the regular haproxy package as well as the -devel variant?

Actions #8

Updated by Daniel Kimsey over 2 years ago

I submitted a PR to backport Viktor's changes to the haproxy package as well: https://github.com/pfsense/FreeBSD-ports/pull/1092

Actions #9

Updated by Renato Botelho over 2 years ago

PR has been merged. Thanks!

Actions #10

Updated by Stéphane Lapie over 2 years ago

Thank you!

Actions

Also available in: Atom PDF