Project

General

Profile

Actions

Bug #11135

open

HAproxy OCSP reponse crontab bug

Added by Stéphane Lapie 10 months ago. Updated 15 days ago.

Status:
Feedback
Priority:
High
Assignee:
Category:
haproxy
Target version:
-
Start date:
12/06/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.5.x
Affected Plus Version:
Affected Architecture:
All

Description

Context : I have been using pfSense 2.5.0 development snapshots to get TLS 1.3 support.

I have noticed that the OCSP job for fetching responses doesn't work as is, because some arguments are not passed properly (maybe a quirk of OpenSSL 1.1.1 ?) :

--- /tmp/zshQe3qFR    2020-12-06 16:52:48.594109038 +0900
+++ /tmp/zshaxINMU    2020-12-06 16:52:48.802102959 +0900
@@ -1412,21 +1412,21 @@
 function haproxy_updateocsp_one($socketupdate, $filename, $name) {
     if (file_exists("{$filename}.ocsp")) {
         // If the .ocsp file exists we want to use ocsp
         syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. ");
         $ocsp_url = haproxy_getocspurl($filename);
         $ocsp_host = parse_url($ocsp_url, PHP_URL_HOST);
         if (empty($ocsp_url)) {
             // If cert does not have a ocsp_uri, it cannot be updated..
             syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
         } else {
-            $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+            $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host={$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
             if ($socketupdate) {
                 $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
                 $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");
                 if ($r[0] == "OCSP Response updated!\n") {
                     syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval);
                 } else {
                     syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  {$name}");
                 }
             } else {
                 syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval);

If I do not apply this fix, I get :
  • An error on HAproxy configuration reloading with empty OCSP responses (which, when checking under /var/etc/haproxy are all empty *.ocsp files) :
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    [WARNING] 340/165604 (57457) : Loading: Unable to parse OCSP response. Content will be ignored.
    
  • An error with the cron job (/etc/rc.haproxy_ocsp.sh) doing the daily reload :
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    Dec  6 16:44:37 lb1 php[52619]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:44:37 lb1 php[52619]: HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  SSLServices
    

The above code before fix generates this command :

# for filename in /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url" 
-header Host "$ocsp_host" ; done
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.
Missing = in header key=value
ocsp: Use -help for summary.


My fix (passing the header as "Host=$ocsp_host" yields this output :
  • Test shell script :
    # for filename in /var/etc/haproxy/*.pem /var/etc/haproxy/*/*.pem ; do ocsp_url=`openssl x509 -noout -ocsp_uri -in $filename`; ocsp_host=`php -r "print parse_url('$ocsp_url', PHP_URL_HOST);"`; openssl ocsp -issuer $filename.issuer -verify_other $filename.issuer -cert $filename -url "$ocsp_url" -header Host="$ocsp_host" ; done
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  4 19:00:00 2020 GMT
        Next Update: Dec 11 19:00:00 2020 GMT
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  5 08:00:00 2020 GMT
        Next Update: Dec 12 08:00:00 2020 GMT
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  5 10:00:00 2020 GMT
        Next Update: Dec 12 10:00:00 2020 GMT
    WARNING: no nonce in response
    Response verify OK
    /var/etc/haproxy/SSLServices/SSLServices_<...>.pem: good
        This Update: Dec  5 11:00:00 2020 GMT
        Next Update: Dec 12 11:00:00 2020 GMT
    
  • Cron job :
    Dec  6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:41 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT
    Dec  6 16:48:41 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 11 19:00:00 2020 GMT
    Dec  6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 08:00:00 2020 GMT
    Dec  6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:42 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 11:00:00 2020 GMT
    Dec  6 16:48:42 lb1 php[29104]: HAProxy Retrieving OCSP for frontend SSLServices.. 
    Dec  6 16:48:43 lb1 php[29104]: HAProxy OCSP socket update successful for frontend SSLServices..result: \x09Next Update: Dec 12 10:00:00 2020 GMT
    
  • HAproxy reload (which also forces an OCSP reload), doesn't display the previous error anymore
Actions

Also available in: Atom PDF