bosh-lite
bosh-lite copied to clipboard
cloudfoundry-attic
Openssl/HAproxy ciphers list configuration doesn't work
We're tailoring HAProxy configuration for a Pivotal customer that requires tight control over the SSL ciphers used to encrypt traffic to CloudFoundry.
We can do this with this HAproxy config stanza
frontend https-in
mode http
bind :443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem ciphers !RC4:+FIPS:kRSA+FIPS:!eNULL:!aNULL
option httplog
option forwardfor
option http-server-close
reqadd X-Forwarded-Proto:\ https
default_backend http-routers
frontend ssl-in
mode tcp
bind :4443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem ciphers !RC4:+FIPS:kRSA+FIPS:!eNULL:!aNULL
default_backend tcp-routers
However, this doesn't work inside a BOSH-Lite warden container, but functions perfectly on a real VM (Hetzner). We've tried a lot of custom builds of different versions of OpenSSL and HAProxy, but none obey the cipher restrictions on BOSH-Lite.
To verify the ciphers that are accepted, use http://sourceforge.net/projects/sslscan/
root@abc27b9a-e3ba-405a-b66d-ae1af5b69b44:~# sslscan localhost | grep Accep
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
For the configuration supplied above, this output above is correct.
root@bosh-lite:/usr/src/haproxy-1.5.3# sslscan 10.244.0.34 | grep Accep
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-SEED-SHA
Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits SEED-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-SEED-SHA
Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Above is an example of HAProxy in a warden container ignoring the cipher restrictions.
We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/76686530.
Could you include ifconfig output from the haproxy vm. Do you have multiple bosh-lite boxes running on your machine?
I don't have access to that machine anymore, sorry. There was only one BOSH-lite running. Stock CF177, fresh 'vagrant up' from github.
It looked like an artifact of how the openssl libraries were being used or how they were being addressed. Ran out of customer time to troubleshoot.
Can you confirm you can reproduce? It's a 30 sec change/test. Seriously odd bug!
James M On 18 Aug 2014 18:14, "Dmitriy Kalinin" [email protected] wrote:
Could you include ifconfig output from the haproxy vm. Do you have multiple bosh-lite boxes running on your machine?
— Reply to this email directly or view it on GitHub https://github.com/cloudfoundry/bosh-lite/issues/151#issuecomment-52523746 .