We'd need several cleanups:
Cleanup:
5b673a658fb1a0a42dbe948b413fceeff1af0642
82b00a11b298a497b4ca93a3f3bf3c7f1399ebc2
b1e3ee6f214d82ebe98140f577777b4c47d88084
And more from there for context.
They are all meant to be no-ops changing the retval handling.
It seems less of an impact to backport the change for that context difference
between the 1.8.8 that we have and the 1.8.21 that this was coded for (much
better than the 2.0 fix it is for sure).
So only focus on 19dd0431b06019d5cbd253662822b15412f67144 being the
actual fix.
But when checking that it becomes clear that the fix makes use of the
err message pass-back mechanism that was introduced by the cleanups.
Only that way it will be able to report any errors. OTOH it before
didn't go into any details and that isn't the point of the fix here.
At least b1e3ee6f214d82ebe98140f577777b4c47d88084 is needed IMHO as that
changes the global_dh flow of the code by dropping the "ret = 0; /* DH
params not found */". That is actually part of the fix depending on
configuration, even thou declared a cleanup.
Ok, that makes up the changes that I'm gonna try and test it now.
** Changed in: haproxy (Ubuntu Bionic)
Status: Fix Committed => In Progress
--
You received this bug notification because you are a member of Ubuntu
High Availability Team, which is subscribed to haproxy in Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild haproxy with openssl 1.1.1 will change features (bionic)
Status in HAProxy:
Fix Released
Status in haproxy package in Ubuntu:
Fix Released
Status in haproxy source package in Bionic:
In Progress
Bug description:
[Impact]
* openssl 1.1.1 has been backported to Bionic for its longer
support upstream period
* That would allow the extra feature of TLSv1.3 in some consuming
packages what seems "for free". Just with a no change rebuild it would
pick that up.
[Test Case]
* run "haproxy -vv" and check the reported TLS versions to include
1.3
[Regression Potential]
* This should be low, the code already runs against the .so of the newer
openssl library. This would only make it recognize the newer TLS
support.
i'd expect more trouble as-is with the somewhat big delta between what
it was built against vs what it runs with than afterwards.
* [1] and [2] indicate that any config that would have been made for
TLSv1.2 [1] would not apply to the v1.3 as it would be configured in
[2].
It is good to have no entry for [2] yet as following the defaults of
openssl is the safest as that would be updated if new insights/CVEs are
known.
But this could IMHO be the "regression that I'd expect", one explcitly
configured the v1.2 things and once both ends support v1.3 that might
be auto-negotiated. One can then set "force-tlsv12" but that is an
administrative action [3]
* Yet AFAIK this fine grained control [2] for TLSv1.3 only exists in
>=1.8.15 [4] and Bionic is on haproxy 1.8.8. So any user of TLSv1.3 in
Bionic haproxy would have to stay without that. There are further
changes to TLS v1.3 handling enhancements [5] but also fixes [6] which
aren't in 1.8.8 in Bionic.
So one could say enabling this will enable an inferior TLSv1.3 and one
might better not enable it, for an SRU the bar to not break old
behavior is intentionally high - I tried to provide as much as possible
background, the decision is up to the SRU team.
[1]:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-ssl-default-bind-ciphers
[2]:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-ssl-default-bind-ciphersuites
[3]:
https://www.haproxy.com/documentation/hapee/1-8r2/traffic-management/tls/#define-bind-directives-on-the-frontend
[4]: https://github.com/haproxy/haproxy/blob/master/CHANGELOG#L2131
[5]:
https://github.com/haproxy/haproxy/commit/526894ff3925d272c13e57926aa6b5d9d8ed5ee3
[6]:
https://github.com/haproxy/haproxy/commit/bc34cd1de2ee80de63b5c4d319a501fc0d4ea2f5
[Other Info]
* If this is nack'ed we will need an upload that prevents to enable
TLSv1.3 to avoid enabling it by accident on e.g. a security update.
---
haproxy needs to be rebuilt after #1797386 to take advantage of
TLSv1.3.
(If that's not desirable for some reason, then maybe TLSv1.3 should be
actively disabled to avoid any surprises in case of a future bug fix
release.)
---
Output of haproxy -vv with stock package:
Built with OpenSSL version : OpenSSL 1.1.0g 2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 (VERSIONS DIFFER!)
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
---
Output after rebuilding the package from source:
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/haproxy/+bug/1841936/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to : ubuntu-ha@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help : https://help.launchpad.net/ListHelp
