delta/haproxy.git/include/haproxy/ssl_utils.h, branch master github.com: haproxy/haproxy.git MINOR: ssl: add new sample ssl_c_r_dn 2023-05-15T08:48:05+00:00 Abhijeet Rastogi abhijeet.1989@gmail.com 2023-05-14T03:04:45+00:00 df97f472fad4ec7c2621d2e13db837a591742d9e This patch addresses #1514, adds the ability to fetch DN of the root ca that was in the chain when client certificate was verified during SSL handshake. 
This patch addresses #1514, adds the ability to fetch DN of the root
ca that was in the chain when client certificate was verified during SSL
handshake.
MINOR: ssl: Move OCSP code to a dedicated source file 2022-12-21T10:21:07+00:00 Remi Tricot-Le Breton rlebreton@haproxy.com 2022-12-20T10:11:17+00:00 c8d814ed63119c4f76e6e4ef211b583eac362a8e This is a simple cleanup that moves OCSP related code to a dedicated file instead of interlacing it in some pure ssl connection code. 
This is a simple cleanup that moves OCSP related code to a dedicated
file instead of interlacing it in some pure ssl connection code.
MEDIUM: ssl: {ca,crt}-ignore-err can now use error constant name 2022-11-10T12:28:37+00:00 William Lallemand wlallemand@haproxy.org 2022-11-03T15:31:50+00:00 960fb74cae15cf00030fda22836284989fe5a1c0 The ca-ignore-err and crt-ignore-err directives are now able to use the openssl X509_V_ERR constant names instead of the numerical values. This allow a configuration to survive an OpenSSL upgrade, because the numerical ID can change between versions. For example X509_V_ERR_INVALID_CA was 24 in OpenSSL 1 and is 79 in OpenSSL 3. The list of errors must be updated when a new major OpenSSL version is released. 
The ca-ignore-err and crt-ignore-err directives are now able to use the
openssl X509_V_ERR constant names instead of the numerical values.

This allow a configuration to survive an OpenSSL upgrade, because the
numerical ID can change between versions. For example
X509_V_ERR_INVALID_CA was 24 in OpenSSL 1 and is 79 in OpenSSL 3.

The list of errors must be updated when a new major OpenSSL version is
released.
MINOR: sample: Expose SSL captures using new fetchers 2021-08-26T17:48:34+00:00 Marcin Deranek marcin.deranek@booking.com 2021-07-13T13:14:21+00:00 959a48c1167a4893796ed568d3864536e7e044f2 To be able to provide JA3 compatible TLS Fingerprints we need to expose all Client Hello captured data using fetchers. Patch provides new and modifies existing fetchers to add ability to filter out GREASE values: - ssl_fc_cipherlist_* - ssl_fc_ecformats_bin - ssl_fc_eclist_bin - ssl_fc_extlist_bin - ssl_fc_protocol_hello_id 
To be able to provide JA3 compatible TLS Fingerprints we need to expose
all Client Hello captured data using fetchers. Patch provides new
and modifies existing fetchers to add ability to filter out GREASE values:
- ssl_fc_cipherlist_*
- ssl_fc_ecformats_bin
- ssl_fc_eclist_bin
- ssl_fc_extlist_bin
- ssl_fc_protocol_hello_id
MINOR: ssl: add an openssl version string parser 2021-08-21T21:44:02+00:00 William Lallemand wlallemand@haproxy.org 2021-08-21T21:16:06+00:00 44d862d8d403ebb41dd20246ab7ba7df0285a73d openssl_version_parser() parse a string in the OpenSSL version format which is documented here: https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html The function returns an unsigned int that could be used for comparing openssl versions. 
openssl_version_parser() parse a string in the OpenSSL version format
which is documented here:

https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html

The function returns an unsigned int that could be used for comparing
openssl versions.
MEDIUM: ssl: Keep a reference to the client's certificate for use in logs 2021-08-19T21:26:05+00:00 Remi Tricot-Le Breton rlebreton@haproxy.com 2021-08-19T16:06:30+00:00 74f6ab6e8711d3f4cdd2fe272605364142e35ddb Most of the SSL sample fetches related to the client certificate were based on the SSL_get_peer_certificate function which returns NULL when the verification process failed. This made it impossible to use those fetches in a log format since they would always be empty. The patch adds a reference to the X509 object representing the client certificate in the SSL structure and makes use of this reference in the fetches. The reference can only be obtained in ssl_sock_bind_verifycbk which means that in case of an SSL error occurring before the verification process ("no shared cipher" for instance, which happens while processing the Client Hello), we won't ever start the verification process and it will be impossible to get information about the client certificate. This patch also allows most of the ssl_c_XXX fetches to return a usable value in case of connection failure (because of a verification error for instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which requires a connection to be established) less strict. Thanks to this patch, a log-format such as the following should return usable information in case of an error occurring during the verification process : log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \ hash=%[ssl_c_sha1,hex]" It should answer to GitHub issue #693. 
Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.
REORG: include: move ssl_utils.h to haproxy/ssl_utils.h 2020-06-11T08:18:57+00:00 Willy Tarreau w@1wt.eu 2020-06-04T12:21:22+00:00 b2bd865804f7fa9551832ff6f75119cf6de4bfda Just added buf-t and openssl-compat for the missing types that appear in the prototypes. 
Just added buf-t and openssl-compat for the missing types that appear
in the prototypes.