Bug #6182
closedHAProxy not supporting ALPN
0%
Description
ALPN is supposed to be superseding NPN, but for some reason ALPN is disabled in the libraries used by HAProxy on 2.3 but was working fine on 2.2. (OpenSSL?)
ERROR: parsing [/var/etc/haproxy_test/haproxy.cfg:25] : 'bind 1.2.3.4:443' : 'alpn' : library does not support TLS ALPN extension
CONFIG: Address: 1.2.3.4, Port: 443, SSL Offload: enabled, Advanced: alpn HTTP/1.1,HTTP/1.0
Is this an intentional change? I haven't been able to find anything with either google searches or searches here to explain it.
Updated by Sam Bingner over 8 years ago
Also: workaround until ALPN is working again is going back to "npn HTTP/1.1,HTTP/1.0" instead of "alpn HTTP/1.1,HTTP/1.0" in case somebody else comes here with the problem...
Updated by Pi Ba over 8 years ago
Likely related to haproxy being build against openssl 1.0.1, where it used to be against 1.0.2. Can see that in haproxy -vv output. I'm not sure how to change that though with the pkg Makefile.
Updated by Sam Bingner over 8 years ago
Right - openssl is now 1.0.1s where it is 1.0.2c on 2.2.6.
Openssl was downgraded at https://redmine.pfsense.org/projects/pfsense/repository/freebsd-src/revisions/73af9669cdc04af0c06344ce6f0d85808187eab3 and it says it was a security update... but but that doesn't explain why the version was downgraded. All those vulnerabilities are listed as also being fixed in 1.0.2g (and now 1.0.2h has fixes that apply to 1.0.1s) - in fact 1.0.2g was already merged at that point according to https://redmine.pfsense.org/projects/pfsense/repository/freebsd-src/revisions/72d32bf80dfdcfe0e69da200b66f195e919653f7
Now I'm just as confused as when I started.
Updated by Chris Buechler over 8 years ago
- Project changed from pfSense to pfSense Packages
- Category changed from Operating System to haproxy
- Affected Version changed from 2.3 to 2.3.x
Updated by Vincent Milum over 8 years ago
This is not a HAProxy issue, this is an entire pfSense issue. Because openssl in pfSense was reverted from 1.0.2 to 1.0.1, ALL packages appear to be effected.
openssl:[2.3.2-RELEASE][root@pfSense.localdomain]/: openssl version
OpenSSL 1.0.1s-freebsd 1 Mar 2016
nginx:[2.3.2-RELEASE][root@pfSense.localdomain]/: nginx -V
nginx version: nginx/1.10.1
built with OpenSSL 1.0.1s-freebsd 1 Mar 2016
Note that openssl 1.0.1 will hit end of life in just three months, December 31st, 2016. This should be marked as a critical security issue for pfSense to revert back to the 1.0.2 branch or upgrade to the 1.1.0 branch ASAP. This isn't just about maintaining the current feature set that added by 1.0.2, but also for maintaining proper network security within pfSense, a network security operating system.
Also note that I included nginx in this list, since pfSense 2.3.x switched to including nginx by default. nginx statically compiles in openssl instead of dynamically linking to it, so it needs to be updated as well. And as such, there are possibly other applications either included directly with pfSense or available via packages which statically compile in openssl.
Another note is that as of pfSense 2.3.x, the base FreeBSD package repository has been removed. If this WASNT the case, it would be as simple as running a "pkg upgrade" command on the various packages, such as openssl and nginx, to get a properly updated version of each. But because of this change, it has made it more difficult to replace these packages.
Updated by Jim Pingle over 8 years ago
We use the OpenSSL version provided in the base system of FreeBSD 10.3, which is maintained by FreeBSD. If/when FreeBSD updates the version of OpenSSL on the 10.3 security/errata branch, we'll pick up the changes there. If there is a concern, it should be raised upstream. However, FreeBSD has a history of maintaining OpenSSL security patches for versions in existing branches directly, so I would not worry about OpenSSL's support dates but the dates given by FreeBSD instead.
2.4 snapshots, based on FreeBSD 11, already contain OpenSSL 1.0.2h.
Updated by Pi Ba over 8 years ago
That doesn't however allow access to new openssl 1.1 features like ALPN.
Haproxy used to build not using the freebsd base version but the openssl from 'ports', then both versions were present on pfSense this changed when switching to the new git ports tree.
Is it possible to make changes to existing ports makefiles?
Updated by Kill Bill about 8 years ago
Pi Ba wrote:
Is it possible to make changes to existing ports makefiles?
See this and replace with < 1100000?
https://svnweb.freebsd.org/ports/head/net/haproxy-devel/Makefile?r1=425832&r2=426105
Updated by Joshua Ruehlig over 7 years ago
Is it possible to set build options for dependent ports?
Maybe we can add an OPTION to set 'WITH_OPENSSL_PORT= yes' in the official net/haproxy-devel FreeBSD port.
Updated by Kill Bill over 7 years ago
Joshua Ruehlig wrote:
Is it possible to set build options for dependent ports?
See the previous comment.
Updated by Joshua Ruehlig over 7 years ago
Kill Bill wrote:
Joshua Ruehlig wrote:
Is it possible to set build options for dependent ports?
See the previous comment.
I saw your comment. I was just thinking of a way we wouldn't need to rely on maintaining our own change outside of the FreeBSD ports tree. But I guess we could justify pushing this fix upstream since ALPN is a valid reason to require newer OpenSSL.
Also, I see the haproxy-devel port changed slightly and "WITH_OPENSSL_PORT=yes" needs to be added back.
https://github.com/freebsd/freebsd-ports/commit/f3daf2261fb178366adda1ccfd67d90513f16f2a
Updated by Pi Ba over 7 years ago
The extra build flag should probably be added to: https://github.com/pfsense/pfsense/blob/master/tools/conf/pfPorts/make.conf#L102
However Renato expressed a while back that it was unwanted to have multiple openssl versions on pfSense due to previous issues. Though that was open to discussion as with pkg it likely/hopefully causes less issues then with pbi..
Updated by Joshua Ruehlig over 7 years ago
Pi Ba wrote:
The extra build flag should probably be added to: https://github.com/pfsense/pfsense/blob/master/tools/conf/pfPorts/make.conf#L102
However Renato expressed a while back that it was unwanted to have multiple openssl versions on pfSense due to previous issues. Though that was open to discussion as with pkg it likely/hopefully causes less issues then with pbi..
I would assume all we need is HAProxy to be built with newer openssl, and not actually care what version is installed on pfsense.
On my pfsense 2.2 system I installed hitch (another SSL capable proxy) with 'pkg add'. I built the package on another system with "WITH_OPENSSL_PORT=yes" in my make.conf and it works as expected, supporting ALPN, on my pfsense system.
Updated by Jim Pingle over 7 years ago
First, that isn't the way you set OpenSSL to use the port now. It would be:
DEFAULT_VERSIONS+= ssl=openssl
Second, building from ports really wants all of them set the same. Once you have OpenSSL installed from ports, you can't build against the base system OpenSSL: https://github.com/freebsd/freebsd-ports/blob/master/Mk/Uses/ssl.mk#L59
Even if poudriere helps there, it's not a situation that should be sought out on purpose. We finally got away from having multiple copies of OpenSSL around, we're not keen on resurrecting that problem source.
Once the FreeBSD base OpenSSL is updated to a version that supports this feature then it should work. Until then, unless Renato has a better idea, I don't see it happening.
Updated by Joshua Ruehlig over 7 years ago
Ok, just to clear up my understanding. Is the following correct?
If we build a port with openssl from ports, it now adds that as a dependency. This is something we want to avoid in order to have everything use the same openssl, from base.
On my pfsense 2.2 system, I was able to get an externally built 'hitch' package working because pfsense includes the openssl port, version 1.0.2k.
On another pfsense 2.3 I have, this would not work because openssl from ports is not included.
Updated by Jim Pingle over 7 years ago
Joshua Ruehlig wrote:
Ok, just to clear up my understanding. Is the following correct?
If we build a port with openssl from ports, it now adds that as a dependency. This is something we want to avoid in order to have everything use the same openssl, from base.
Yes.
On my pfsense 2.2 system, I was able to get an externally built 'hitch' package working because pfsense includes the openssl port, version 1.0.2k.
On another pfsense 2.3 I have, this would not work because openssl from ports is not included.
Correct. On 2.2.x, the FreeBSD base system was built against base OpenSSL (e.g. sshd) but packages/ports (even pfSense base system software built from ports, like OpenVPN) was built against the ports OpenSSL. It was not ideal trying to keep all that straight.
Updated by Joshua Ruehlig over 7 years ago
Ok, thanks that makes sense.
I excitedly wait for pfSense 2.4, and an ALPN capable HAProxy then.
Updated by Pi Ba over 7 years ago
You can wait, but its still 1.0.2..
[2.4.0-BETA][root@pfSense.localdomain]/root: openssl version
OpenSSL 1.0.2k-freebsd 26 Jan 2017
Updated by Joshua Ruehlig over 7 years ago
Pi Ba wrote:
You can wait, but its still 1.0.2..
[2.4.0-BETA][root@pfSense.localdomain]/root: openssl version
OpenSSL 1.0.2k-freebsd 26 Jan 2017
I'm not sure why this is a problem. 1.0.2 supports ALPN I believe.
Updated by Pi Ba over 7 years ago
Ah yes sorry, got some versions mixed up in my head..