Openssl/HAproxy ciphers list configuration doesn't work

[james-masson]

We're tailoring HAProxy configuration for a Pivotal customer that requires tight control over the SSL ciphers used to encrypt traffic to CloudFoundry.

We can do this with this HAproxy config stanza

frontend https-in
    mode http
    bind :443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem ciphers !RC4:+FIPS:kRSA+FIPS:!eNULL:!aNULL
    option httplog
    option forwardfor
    option http-server-close
    reqadd X-Forwarded-Proto:\ https
    default_backend http-routers

frontend ssl-in
    mode tcp
    bind :4443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem ciphers !RC4:+FIPS:kRSA+FIPS:!eNULL:!aNULL
    default_backend tcp-routers

However, this doesn't work inside a BOSH-Lite warden container, but functions perfectly on a real VM (Hetzner). We've tried a lot of custom builds of different versions of OpenSSL and HAProxy, but none obey the cipher restrictions on BOSH-Lite.

To verify the ciphers that are accepted, use http://sourceforge.net/projects/sslscan/

root@abc27b9a-e3ba-405a-b66d-ae1af5b69b44:~# sslscan localhost | grep Accep
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  56 bits   DES-CBC-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA

For the configuration supplied above, this output above is correct.

root@bosh-lite:/usr/src/haproxy-1.5.3# sslscan 10.244.0.34 | grep Accep
    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  256 bits  CAMELLIA256-SHA
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-SEED-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  128 bits  SEED-SHA
    Accepted  SSLv3  128 bits  CAMELLIA128-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  SSLv3  56 bits   DES-CBC-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-SEED-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  SEED-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA

Above is an example of HAProxy in a warden container ignoring the cipher restrictions.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/76686530.

[cppforlife]

Could you include ifconfig output from the haproxy vm. Do you have multiple bosh-lite boxes running on your machine?

[james-masson]

I don't have access to that machine anymore, sorry.
There was only one BOSH-lite running. Stock CF177, fresh 'vagrant up' from
github.

It looked like an artifact of how the openssl libraries were being used or
how they were being addressed. Ran out of customer time to troubleshoot.

Can you confirm you can reproduce? It's a 30 sec change/test. Seriously odd
bug!

James M
On 18 Aug 2014 18:14, "Dmitriy Kalinin" [email protected] wrote:

Could you include ifconfig output from the haproxy vm. Do you have
multiple bosh-lite boxes running on your machine?

—
Reply to this email directly or view it on GitHub
#151 (comment)
.