Actions
Bug #11135
openHAproxy OCSP reponse crontab bug
Status:
Feedback
Priority:
High
Assignee:
Viktor Gurov
Category:
haproxy
Target version:
-
Start date:
12/06/2020
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
2.5.x
Affected Plus Version:
Affected Architecture:
All
Description
Context : I have been using pfSense 2.5.0 development snapshots to get TLS 1.3 support.
I have noticed that the OCSP job for fetching responses doesn't work as is, because some arguments are not passed properly (maybe a quirk of OpenSSL 1.1.1 ?) :
--- /tmp/zshQe3qFR 2020-12-06 16:52:48.594109038 +0900
+++ /tmp/zshaxINMU 2020-12-06 16:52:48.802102959 +0900
@@ -1412,21 +1412,21 @@
function haproxy_updateocsp_one($socketupdate, $filename, $name) {
if (file_exists("{$filename}.ocsp")) {
// If the .ocsp file exists we want to use ocsp
syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. ");
$ocsp_url = haproxy_getocspurl($filename);
$ocsp_host = parse_url($ocsp_url, PHP_URL_HOST);
if (empty($ocsp_url)) {
// If cert does not have a ocsp_uri, it cannot be updated..
syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
} else {
- $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+ $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host={$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
if ($socketupdate) {
$ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
$r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");
if ($r[0] == "OCSP Response updated!\n") {
syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval);
} else {
syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: {$name}");
}
} else {
syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval);
If I do not apply this fix, I get :
- An error on HAproxy configuration reloading with empty OCSP responses (which, when checking under /var/etc/haproxy are all empty *.ocsp files) :
[WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
- An error with the cron job (/etc/rc.haproxy_ocsp.sh) doing the daily reload :
Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices
The above code before fix generates this command :
# for filename in /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url" -header Host "$ocsp_host" ; done Missing = in header key=value ocsp: Use -help for summary. Missing = in header key=value ocsp: Use -help for summary. Missing = in header key=value ocsp: Use -help for summary. Missing = in header key=value ocsp: Use -help for summary.
My fix (passing the header as "Host=$ocsp_host" yields this output :
- Test shell script :
# for filename in /var/etc/haproxy/*.pem /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url" -header Host="$ocsp_host" ; done WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 4 19:00:00 2020 GMT Next Update: Dec 11 19:00:00 2020 GMT WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 5 08:00:00 2020 GMT Next Update: Dec 12 08:00:00 2020 GMT WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 5 10:00:00 2020 GMT Next Update: Dec 12 10:00:00 2020 GMT WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 5 11:00:00 2020 GMT Next Update: Dec 12 11:00:00 2020 GMT
- Cron job :
Dec 6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:41 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT Dec 6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT Dec 6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 08:00:00 2020 GMT Dec 6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 11:00:00 2020 GMT Dec 6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:43 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 10:00:00 2020 GMT
- HAproxy reload (which also forces an OCSP reload), doesn't display the previous error anymore
Updated by Stéphane Lapie about 4 years ago
Confirmed that the previous code did work with an older version :
- Old OpenSSL :
$ ./bin/openssl.FreeBSD.amd64 version OpenSSL 1.0.2-chacha (1.0.2k-dev)
- Old syntax : Works.
$ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host ocsp.int-x3.letsencrypt.org cert.pem: good This Update: Dec 3 19:00:00 2020 GMT Next Update: Dec 10 19:00:00 2020 GMT
- New Syntax : Fails !
$ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host=ocsp.int-x3.letsencrypt.org OCSP utility Usage ocsp [options] where options are [...]
- Old syntax : Works.
- New OpenSSL (current in pfSense 2.5) :
$ openssl version OpenSSL 1.1.1h-freebsd 22 Sep 2020
- Old syntax : Fails ! (The bug I noticed)
$ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host ocsp.int-x3.letsencrypt.org Missing = in header key=value ocsp: Use -help for summary.
- New syntax : Works.
$ ./bin/openssl.FreeBSD.amd64 ocsp -noverify -no_nonce -issuer chain.pem -verify_other chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header Host=ocsp.int-x3.letsencrypt.org cert.pem: good This Update: Dec 3 19:00:00 2020 GMT Next Update: Dec 10 19:00:00 2020 GMT
- Old syntax : Fails ! (The bug I noticed)
This is bad... It means the proper fix is to check either the version of OpenSSL, or of FreeBSD/pfSense beforehand :(
Updated by Stéphane Lapie about 4 years ago
A more proper fix would be :
--- /usr/local/pkg/haproxy/haproxy.inc.old 2020-12-06 17:40:35.435898585 +0900
+++ /usr/local/pkg/haproxy/haproxy.inc 2020-12-06 17:40:35.643894088 +0900
@@ -1419,7 +1419,11 @@
// If cert does not have a ocsp_uri, it cannot be updated..
syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
} else {
- $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+ if (haproxy_utils::$pf_version < 2.5) { // Required for OpenSSL 1.1.1
+ $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+ } else {
+ $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host={$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+ }
if ($socketupdate) {
$ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
$r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");
Updated by Viktor Gurov almost 4 years ago
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by Renato Botelho almost 4 years ago
- Target version deleted (
2.5.0)
Do not set target version on package tickets
Updated by Christopher Sutcliff almost 4 years ago
Can this same fix be applied to the regular haproxy package as well as the -devel variant?
Updated by Daniel Kimsey over 3 years ago
I submitted a PR to backport Viktor's changes to the haproxy package as well: https://github.com/pfsense/FreeBSD-ports/pull/1092
Actions