problems with TLS offload using HaProxy & TLS VPN (ocserv, ~ Cisco VPN)

Eugene Istomin Wed, 09 Dec 2015 08:15:30 -0800

Hello,

we have a problems with TLS offload using HaProxy & TLS VPN (ocserv, ~ Cisco 
VPN).


#ocserv debug log:
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 440 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 56 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 440 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 56 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] received 60 byte(s) (TLS)
ocserv[64521]: worker[vpn_name]: [SOME_IP] writing 52 byte(s) to TUN
ocserv[64521]: worker[vpn_name]: [SOME_IP] received 1070 byte(s) (TLS)
ocserv[64521]: worker[vpn_name]: [SOME_IP] unexpected CSTP length (have 52, 
should be 1062)
ocserv[64521]: worker[vpn_name]: [SOME_IP] worker-vpn.c:1094: error parsing 
CSTP data
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending message 'sm: cli stats' to 
secmod
ocserv[64521]: worker[vpn_name]: [SOME_IP] sent periodic stats (in: 52, out: 
1984) to sec-mod

It happens at first connection after ~ 30-50 packets.
Everything is OK if we switch off TLS offload (haproxy TCP mode & server 
"localhost:4443").

Comments from ocserv developers:
"My understanding is that haproxy breaks a TLS packet received
(with 1062 bytes of payload) into multiple writes to ocserv socket.
That's a bummer. Because ocserv doesn't attempt to reconstruct the
packet (in the TLS case it is not necessary as the TLS boundaries are
sufficient), this error occurs. Is there a way to instruct haproxy to
pass the full packet received rather than doing multiple writes?
Otherwise we may need some reconstruction logic for that situation."



Here are the configuration:

##ocserv.conf
...
listen-clear-file = /var/lib/haproxy/oc_vpn
listen-proxy-proto = true       
tcp-port = 4443 
udp-port = 4443
...                                                                             
                                                                                
                                                                             


#TLS offloaded
## haproxy.conf
...
defaults
    mode http
    timeout connect 10s
    timeout http-request 10s
    timeout http-keep-alive 15s
    timeout client 300s
    timeout server 300s
    timeout queue 90s
    timeout tunnel 1500s 
....

frontend http 
  bind 0.0.0.0:443 tfo npn http/1.1 ssl crt /etc/ssl/server.both force-tlsv12
  reqadd X-Forwarded-Proto:\ https
  acl is_vpn_prefix path_beg -i /hebs-tln
  reqirep POST\ /hebs-tln POST\ / if is_vpn_prefix
  default_backend vpn_http

backend vpn_http
  server socket unix@oc_vpn send-proxy-v2
....


## Working HaProxy configuration
## no TLS offload
..
frontend tcp 
mode tcp
  bind 0.0.0.0:443 tfo npn http/1.1 
  default_backend vpn_tcp

backend vpn_tcp
mode tcp
  server  localhost:4443 localhost:4443 send-proxy-v2

---
Best regards,
Eugene Istomin

signature.asc
Description: This is a digitally signed message part.

problems with TLS offload using HaProxy & TLS VPN (ocserv, ~ Cisco VPN)

Reply via email to