Ubuntu
haproxy package

Merge ~paelzer/ubuntu/+source/haproxy:bug-1841936-openssl1.1.1-tlsv13-focal into ubuntu/+source/haproxy:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/haproxy
  3. bug-1841936-openssl1.1.1-tlsv13-focal
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Rejected
Rejected by: Christian Ehrhardt 
Proposed branch: ~paelzer/ubuntu/+source/haproxy:bug-1841936-openssl1.1.1-tlsv13-focal
Merge into: ubuntu/+source/haproxy:ubuntu/focal-devel
Diff against target: 308 lines (+261/-1) (has conflicts)
5 files modified
debian/changelog (+11/-0)
debian/control (+2/-1)
debian/patches/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch (+131/-0)
debian/patches/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch (+115/-0)
debian/patches/series (+2/-0)
Conflict in debian/changelog
Reviewer Review Type Date Requested Status
Canonical Server packageset reviewers Pending
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+374596@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1841936-haproxy-openssl/+packages
Focal doesn't build in PPA yet it seems, but it is identical to the Eoan version (except version number)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Umm now it built, so ok

~paelzer/ubuntu/+source/haproxy:bug-1841936-openssl1.1.1-tlsv13-focal updated
4cd9cf4... by Christian Ehrhardt 

dp/lp-1841936-*: mark Applied Upstream to help dropping changes later

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Note: Upstream already accepted it also in all stable branches, so we can mark it to help dropping the Delta later.
Pushed to this series (not important for the SRUs).

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

syncing 2.0.8 from Debian already.
This MP isn't needed anymore (but the SRU MPs are)

Unmerged commits

4cd9cf4... by Christian Ehrhardt 

dp/lp-1841936-*: mark Applied Upstream to help dropping changes later

Signed-off-by: Christian Ehrhardt <email address hidden>

d6cca36... by Christian Ehrhardt 

update-maintainer

Signed-off-by: Christian Ehrhardt <email address hidden>

965d3a1... by Christian Ehrhardt 

changelog: Fix issues around dh_params when building against openssl 1.1.1 (LP: #1841936)

Signed-off-by: Christian Ehrhardt <email address hidden>

238cc15... by Christian Ehrhardt 

* Fix issues around dh_params when building against openssl 1.1.1 (LP: #1841936)
  - d/p/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch
  - d/p/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch

Signed-off-by: Christian Ehrhardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 2733720..1bcd82d 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,4 @@
6+<<<<<<< debian/changelog
7 haproxy (2.0.8-1) unstable; urgency=medium
8
9 * New upstream release.
10@@ -30,6 +31,16 @@ haproxy (2.0.6-1) unstable; urgency=medium
11 - BUG/MAJOR: ssl: ssl_sock was not fully initialized.
12
13 -- Vincent Bernat <bernat@debian.org> Fri, 13 Sep 2019 21:25:38 +0200
14+=======
15+haproxy (2.0.5-1ubuntu1) focal; urgency=medium
16+
17+ * Fix configurability of dh_params that regressed since building
18+ against openssl 1.1.1 (LP: 1841936)
19+ - d/p/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch
20+ - d/p/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch
21+
22+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 23 Oct 2019 12:58:09 +0200
23+>>>>>>> debian/changelog
24
25 haproxy (2.0.5-1) unstable; urgency=medium
26
27diff --git a/debian/control b/debian/control
28index ca8eb40..d120f6e 100644
29--- a/debian/control
30+++ b/debian/control
31@@ -1,7 +1,8 @@
32 Source: haproxy
33 Section: net
34 Priority: optional
35-Maintainer: Debian HAProxy Maintainers <haproxy@tracker.debian.org>
36+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
37+XSBC-Original-Maintainer: Debian HAProxy Maintainers <haproxy@tracker.debian.org>
38 Uploaders: Apollon Oikonomopoulos <apoikos@debian.org>,
39 Prach Pongpanich <prach@debian.org>,
40 Vincent Bernat <bernat@debian.org>
41diff --git a/debian/patches/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch b/debian/patches/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch
42new file mode 100644
43index 0000000..b8a9128
44--- /dev/null
45+++ b/debian/patches/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch
46@@ -0,0 +1,131 @@
47+From d6de151248603b357565ae52fe92440e66c1177c Mon Sep 17 00:00:00 2001
48+From: Emeric Brun <ebrun@haproxy.com>
49+Date: Thu, 17 Oct 2019 14:53:03 +0200
50+Subject: [PATCH] BUG/MEDIUM: ssl: 'tune.ssl.default-dh-param' value ignored
51+ with openssl > 1.1.1
52+
53+If openssl 1.1.1 is used, c2aae74f0 commit mistakenly enables DH automatic
54+feature from openssl instead of ECDH automatic feature. There is no impact for
55+the ECDH one because the feature is always enabled for that version. But doing
56+this, the 'tune.ssl.default-dh-param' was completely ignored for DH parameters.
57+
58+This patch fix the bug calling 'SSL_CTX_set_ecdh_auto' instead of
59+'SSL_CTX_set_dh_auto'.
60+
61+Currently some users may use a 2048 DH bits parameter, thinking they're using a
62+1024 bits one. Doing this, they may experience performance issue on light hardware.
63+
64+This patch warns the user if haproxy fails to configure the given DH parameter.
65+In this case and if openssl version is > 1.1.0, haproxy will let openssl to
66+automatically choose a default DH parameter. For other openssl versions, the DH
67+ciphers won't be usable.
68+
69+A commonly case of failure is due to the security level of openssl.cnf
70+which could refuse a 1024 bits DH parameter for a 2048 bits key:
71+
72+ $ cat /etc/ssl/openssl.cnf
73+ ...
74+
75+ [system_default_sect]
76+ MinProtocol = TLSv1
77+ CipherString = DEFAULT@SECLEVEL=2
78+
79+This should be backport into any branch containing the commit c2aae74f0.
80+It requires all or part of the previous CLEANUP series.
81+
82+This addresses github issue #324.
83+
84+(cherry picked from commit 6624a90a9ac2edb947a8c70fa6a8a283449750c6)
85+Signed-off-by: Emeric Brun <ebrun@haproxy.com>
86+
87+Origin: upstream, http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=d6de151248603b357565ae52fe92440e66c1177c
88+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1841936
89+Applied-Upstream: v2.1-dev3 1.8.22 2.0.8
90+Last-Update: 2019-10-23
91+
92+---
93+ src/ssl_sock.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
94+ 1 file changed, 43 insertions(+), 4 deletions(-)
95+
96+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
97+index ec961ffe4..b1961f3c1 100644
98+--- a/src/ssl_sock.c
99++++ b/src/ssl_sock.c
100+@@ -2759,7 +2759,20 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file, char **err)
101+ DH *dh = ssl_sock_get_dh_from_file(file);
102+
103+ if (dh) {
104+- SSL_CTX_set_tmp_dh(ctx, dh);
105++ if (!SSL_CTX_set_tmp_dh(ctx, dh)) {
106++ memprintf(err, "%sunable to load the DH parameter specified in '%s'",
107++ err && *err ? *err : "", file);
108++#if defined(SSL_CTX_set_dh_auto)
109++ SSL_CTX_set_dh_auto(ctx, 1);
110++ memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
111++ err && *err ? *err : "");
112++#else
113++ memprintf(err, "%s, DH ciphers won't be available.\n",
114++ err && *err ? *err : "");
115++#endif
116++ ret |= ERR_WARN;
117++ goto end;
118++ }
119+
120+ if (ssl_dh_ptr_index >= 0) {
121+ /* store a pointer to the DH params to avoid complaining about
122+@@ -2768,7 +2781,20 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file, char **err)
123+ }
124+ }
125+ else if (global_dh) {
126+- SSL_CTX_set_tmp_dh(ctx, global_dh);
127++ if (!SSL_CTX_set_tmp_dh(ctx, global_dh)) {
128++ memprintf(err, "%sunable to use the global DH parameter for certificate '%s'",
129++ err && *err ? *err : "", file);
130++#if defined(SSL_CTX_set_dh_auto)
131++ SSL_CTX_set_dh_auto(ctx, 1);
132++ memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
133++ err && *err ? *err : "");
134++#else
135++ memprintf(err, "%s, DH ciphers won't be available.\n",
136++ err && *err ? *err : "");
137++#endif
138++ ret |= ERR_WARN;
139++ goto end;
140++ }
141+ }
142+ else {
143+ /* Clear openssl global errors stack */
144+@@ -2786,7 +2812,20 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file, char **err)
145+ goto end;
146+ }
147+
148+- SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
149++ if (!SSL_CTX_set_tmp_dh(ctx, local_dh_1024)) {
150++ memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
151++ err && *err ? *err : "", file);
152++#if defined(SSL_CTX_set_dh_auto)
153++ SSL_CTX_set_dh_auto(ctx, 1);
154++ memprintf(err, "%s, SSL library will use an automatically generated DH parameter.\n",
155++ err && *err ? *err : "");
156++#else
157++ memprintf(err, "%s, DH ciphers won't be available.\n",
158++ err && *err ? *err : "");
159++#endif
160++ ret |= ERR_WARN;
161++ goto end;
162++ }
163+ }
164+ else {
165+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
166+@@ -4496,7 +4535,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
167+ NULL);
168+
169+ if (ecdhe == NULL) {
170+- SSL_CTX_set_dh_auto(ctx, 1);
171++ SSL_CTX_set_ecdh_auto(ctx, 1);
172+ return cfgerr;
173+ }
174+ #else
175+--
176+2.23.0
177+
178diff --git a/debian/patches/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch b/debian/patches/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch
179new file mode 100644
180index 0000000..e268813
181--- /dev/null
182+++ b/debian/patches/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch
183@@ -0,0 +1,115 @@
184+From cfc1afe9f21ec27612ed4ad84c4a066c68ca24af Mon Sep 17 00:00:00 2001
185+From: Emeric Brun <ebrun@haproxy.com>
186+Date: Thu, 17 Oct 2019 13:27:40 +0200
187+Subject: [PATCH] CLEANUP: ssl: make ssl_sock_load_dh_params handle
188+ errcode/warn
189+
190+ssl_sock_load_dh_params used to return >0 or -1 to indicate success
191+or failure. Make it return a set of ERR_* instead so that its callers
192+can transparently report its status. Given that its callers only used
193+to know about ERR_ALERT | ERR_FATAL, this is the only code returned
194+for now. An error message was added in the case of failure and the
195+comment was updated.
196+
197+(cherry picked from commit 7a88336cf83cd1592fb8e7bc456d72c00c2934e4)
198+Signed-off-by: Emeric Brun <ebrun@haproxy.com>
199+
200+Backport-Note: context changes as we didn't backport further changes and
201+cleanups. Those affect the retval handling of a bunch of functions that
202+had to be adapted. We change ret of ssl_sock_load_dh_params as declared
203+by the patch but not the further one of ssl_sock_load_cert_file.
204+
205+Origin: backport, http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=cfc1afe9f21ec27612ed4ad84c4a066c68ca24af
206+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1841936
207+Applied-Upstream: v2.1-dev3 1.8.22 2.0.8
208+Last-Update: 2019-10-23
209+
210+---
211+ src/ssl_sock.c | 43 +++++++++++++++++++++++++++----------------
212+ 1 file changed, 27 insertions(+), 16 deletions(-)
213+
214+--- a/src/ssl_sock.c
215++++ b/src/ssl_sock.c
216+@@ -2740,15 +2740,24 @@ int ssl_sock_load_global_dh_param_from_f
217+ return -1;
218+ }
219+
220+-/* Loads Diffie-Hellman parameter from a file. Returns 1 if loaded, else -1
221+- if an error occurred, and 0 if parameter not found. */
222+-int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
223+-{
224+- int ret = -1;
225++/* Loads Diffie-Hellman parameter from a ckchs to an SSL_CTX.
226++ * If there is no DH paramater availaible in the ckchs, the global
227++ * DH parameter is loaded into the SSL_CTX and if there is no
228++ * DH parameter available in ckchs nor in global, the default
229++ * DH parameters are applied on the SSL_CTX.
230++ * Returns a bitfield containing the flags:
231++ * ERR_FATAL in any fatal error case
232++ * ERR_ALERT if a reason of the error is availabine in err
233++ * ERR_WARN if a warning is available into err
234++ * The value 0 means there is no error nor warning and
235++ * the operation succeed.
236++ */
237++static int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file, char **err)
238++ {
239++ int ret = 0;
240+ DH *dh = ssl_sock_get_dh_from_file(file);
241+
242+ if (dh) {
243+- ret = 1;
244+ SSL_CTX_set_tmp_dh(ctx, dh);
245+
246+ if (ssl_dh_ptr_index >= 0) {
247+@@ -2759,7 +2768,6 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx
248+ }
249+ else if (global_dh) {
250+ SSL_CTX_set_tmp_dh(ctx, global_dh);
251+- ret = 0; /* DH params not found */
252+ }
253+ else {
254+ /* Clear openssl global errors stack */
255+@@ -2770,16 +2778,18 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx
256+ if (local_dh_1024 == NULL)
257+ local_dh_1024 = ssl_get_dh_1024();
258+
259+- if (local_dh_1024 == NULL)
260++ if (local_dh_1024 == NULL) {
261++ memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
262++ err && *err ? *err : "", file);
263++ ret |= ERR_ALERT | ERR_FATAL;
264+ goto end;
265++ }
266+
267+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
268+ }
269+ else {
270+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
271+ }
272+-
273+- ret = 0; /* DH params not found */
274+ }
275+
276+ end:
277+@@ -3254,8 +3264,8 @@ static int ssl_sock_load_multi_cert(cons
278+ if (ssl_dh_ptr_index >= 0)
279+ SSL_CTX_set_ex_data(cur_ctx, ssl_dh_ptr_index, NULL);
280+
281+- rv = ssl_sock_load_dh_params(cur_ctx, NULL);
282+- if (rv < 0) {
283++ rv = ssl_sock_load_dh_params(cur_ctx, NULL, err);
284++ if (rv & ERR_CODE) {
285+ if (err)
286+ memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
287+ *err ? *err : "", path);
288+@@ -3485,8 +3495,8 @@ static int ssl_sock_load_cert_file(const
289+ SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
290+ }
291+
292+- ret = ssl_sock_load_dh_params(ctx, path);
293+- if (ret < 0) {
294++ ret = ssl_sock_load_dh_params(ctx, path, err);
295++ if (ret & ERR_CODE) {
296+ if (err)
297+ memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
298+ *err ? *err : "", path);
299diff --git a/debian/patches/series b/debian/patches/series
300index 64d2dd6..4987953 100644
301--- a/debian/patches/series
302+++ b/debian/patches/series
303@@ -4,3 +4,5 @@ haproxy.service-add-documentation.patch
304
305 # applied during the build process:
306 # debianize-dconv.patch
307+lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch
308+lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch

Subscribers

People subscribed via source and target branches