Actions
Bug #11135
open
HAproxy OCSP reponse crontab bug
Status:
Feedback
Priority:
High
Assignee:
Viktor Gurov
Category:
haproxy
Target version:
-
Start date:
12/06/2020
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
2.5.x
Affected Plus Version:
Affected Architecture:
All
Description
Context : I have been using pfSense 2.5.0 development snapshots to get TLS 1.3 support.
I have noticed that the OCSP job for fetching responses doesn't work as is, because some arguments are not passed properly (maybe a quirk of OpenSSL 1.1.1 ?) :
--- /tmp/zshQe3qFR 2020-12-06 16:52:48.594109038 +0900
+++ /tmp/zshaxINMU 2020-12-06 16:52:48.802102959 +0900
@@ -1412,21 +1412,21 @@
function haproxy_updateocsp_one($socketupdate, $filename, $name) {
if (file_exists("{$filename}.ocsp")) {
// If the .ocsp file exists we want to use ocsp
syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. ");
$ocsp_url = haproxy_getocspurl($filename);
$ocsp_host = parse_url($ocsp_url, PHP_URL_HOST);
if (empty($ocsp_url)) {
// If cert does not have a ocsp_uri, it cannot be updated..
syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
} else {
- $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+ $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host={$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
if ($socketupdate) {
$ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
$r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");
if ($r[0] == "OCSP Response updated!\n") {
syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval);
} else {
syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: {$name}");
}
} else {
syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval);
- An error on HAproxy configuration reloading with empty OCSP responses (which, when checking under /var/etc/haproxy are all empty *.ocsp files) :
[WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
- An error with the cron job (/etc/rc.haproxy_ocsp.sh) doing the daily reload :
Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices Dec 6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: SSLServices
The above code before fix generates this command :
# for filename in /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url"
-header Host "$ocsp_host" ; done
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.
My fix (passing the header as "Host=$ocsp_host" yields this output :
- Test shell script :
# for filename in /var/etc/haproxy/*.pem /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url" -header Host="$ocsp_host" ; done WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 4 19:00:00 2020 GMT Next Update: Dec 11 19:00:00 2020 GMT WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 5 08:00:00 2020 GMT Next Update: Dec 12 08:00:00 2020 GMT WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 5 10:00:00 2020 GMT Next Update: Dec 12 10:00:00 2020 GMT WARNING: no nonce in response Response verify OK /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good This Update: Dec 5 11:00:00 2020 GMT Next Update: Dec 12 11:00:00 2020 GMT - Cron job :
Dec 6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:41 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT Dec 6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT Dec 6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 08:00:00 2020 GMT Dec 6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 11:00:00 2020 GMT Dec 6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. Dec 6 16:48:43 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 10:00:00 2020 GMT
- HAproxy reload (which also forces an OCSP reload), doesn't display the previous error anymore
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by 
Updated by
Actions