Do not serve certificate content for Non-SSL routes #14621
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@rajatchopra @knobunc First part, haproxy-template.conf change. PTAL |
|
@knobunc @rajatchopra @JacobTanenbaum Added command option PTAL |
knobunc
requested changes
Jun 14, 2017
| @@ -204,7 +204,7 @@ backend be_sni | |||
|
|
|||
| frontend fe_sni | |||
| # terminate ssl on edge | |||
| bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 {{ if gt (len .DefaultCertificate) 0 }}crt {{.DefaultCertificate}}{{ else }}crt /var/lib/haproxy/conf/default_pub_keys.pem{{ end }} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy | |||
| bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 {{ if matchPattern "true|TRUE" (env "ROUTER_STRICT_SNI" "") -}} strict-sni {{ end }}{{ if gt (len .DefaultCertificate) 0 }}crt {{.DefaultCertificate}}{{ else }}crt /var/lib/haproxy/conf/default_pub_keys.pem{{ end }} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy | |||
There was a problem hiding this comment.
It looks right to me, but I'd like to see some whitespace so I can follow what we are doing a little more clearly:
bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3
{{- if matchPattern "true|TRUE" (env "ROUTER_STRICT_SNI" "") }} strict-sni {{ end }}
{{- if gt (len .DefaultCertificate) 0 }} crt {{.DefaultCertificate}} {{ else }} crt /var/lib/haproxy/conf/default_pub_keys.pem {{ end }}
{{- ""}} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
|
@openshift/networking PTAL |
knobunc
changed the title
|
@knobunc PTAL |
knobunc
reviewed
Jun 14, 2017
| @@ -44,6 +44,8 @@ os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --h | |||
| os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --max-connections=14583 -o yaml' '14583' | |||
| # ciphers | |||
| os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --ciphers=modern -o yaml' 'modern' | |||
| # strict-sni | |||
| os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --strict-sni -o yaml' 'ROUTER_STRICT_SNI' | |||
There was a problem hiding this comment.
Is this check sufficient? You always set the variable, but to true or false as appropriate.
There was a problem hiding this comment.
I think you should check the value
pravisankar
reviewed
Jun 14, 2017
| @@ -204,7 +204,10 @@ backend be_sni | |||
|
|
|||
| frontend fe_sni | |||
| # terminate ssl on edge | |||
| bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 {{ if gt (len .DefaultCertificate) 0 }}crt {{.DefaultCertificate}}{{ else }}crt /var/lib/haproxy/conf/default_pub_keys.pem{{ end }} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy | |||
| bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 | |||
| {{- if matchPattern "true|TRUE" (env "ROUTER_STRICT_SNI" "") }} strict-sni {{ end }} | |||
There was a problem hiding this comment.
Will this end up putting 'strict-sni' on the same line as 'bind 127.0.0.1'? (Assuming {{-' only removes leading spaces)
rajatchopra
approved these changes
Jun 14, 2017
| @@ -204,7 +204,10 @@ backend be_sni | |||
|
|
|||
| frontend fe_sni | |||
| # terminate ssl on edge | |||
| bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 {{ if gt (len .DefaultCertificate) 0 }}crt {{.DefaultCertificate}}{{ else }}crt /var/lib/haproxy/conf/default_pub_keys.pem{{ end }} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy | |||
| bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 | |||
| {{- if matchPattern "true|TRUE" (env "ROUTER_STRICT_SNI" "") }} strict-sni {{ end }} | |||
There was a problem hiding this comment.
Will this collapse on the previous line? not sure how the white-space collapse works.
All else looks good.
|
[test] |
|
@pecameron Can you split this change into 2 commits. One commit for the actual change and another commit for the auto generated stuff that way it will be cleaner. |
|
@pravisankar is that safe? Won't one commit fail tests because the autogen stuff isn't current? Thus it will break bisect? Or are you asking that we do it for the PR only and then squash before it is merged? |
By default, when a host does not resolve to a route in a HTTPS or tls sni request, the default cert is returned to the caller as part of the 503 response. This exposes the default cert and may pose security concerns. Haproxy strict-sni option to bind suppresses use of the default cert. This adds a new environment variable to the router deployment controller, ROUTER_STRICT_SNI, to control bind processing. When set to "true" or "TRUE", "strict-sni" is added to the bind. Default is "false". oc adm router --strict-sni sets ROUTER_STRICT_SNI="true" bug 1369865 https://bugzilla.redhat.com/show_bug.cgi?id=1369865
| @@ -44,6 +44,8 @@ os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --h | |||
| os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --max-connections=14583 -o yaml' '14583' | |||
| # ciphers | |||
| os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --ciphers=modern -o yaml' 'modern' | |||
| # strict-sni | |||
| os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --strict-sni -o yaml' 'ROUTER_STRICT_SNI' | |||
There was a problem hiding this comment.
I think you should check the value
|
On Wed, Jun 14, 2017 at 12:08 PM, Ben Bennett ***@***.***> wrote:
@pravisankar <https://github.com/pravisankar> is that safe? Won't one
commit fail tests because the autogen stuff isn't current? Thus it will
break bisect? Or are you asking that we do it for the PR only and then
squash before it is merged?
No, it won't break. Test/Merge is performed on the entire changes rebased
on master. This was suggested on my PR long time back and I have seen
others following this convention (just grep for 'generated' in 'git log'
output).
… —
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#14621 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABM0hi5NHy090OC9koQanBbPfbTgjJj_ks5sEC-rgaJpZM4N49tj>
.
|
|
[merge][severity: blocker] |
|
Evaluated for origin test up to e8638ae |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2240/) (Base Commit: 0be6aee) |
|
Yes it does put strict-sni on the bind line (I verified this)
…On 06/14/2017 02:53 PM, Ravi Sankar Penta wrote:
***@***.**** commented on this pull request.
------------------------------------------------------------------------
In images/router/haproxy/conf/haproxy-config.template
<#14621 (comment)>:
> @@ -204,7 +204,10 @@ backend be_sni
frontend fe_sni
# terminate ssl on edge
- bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 {{ if gt (len .DefaultCertificate) 0 }}crt {{.DefaultCertificate}}{{ else }}crt /var/lib/haproxy/conf/default_pub_keys.pem{{ end }} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
+ bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3
+ {{- if matchPattern "true|TRUE" (env "ROUTER_STRICT_SNI" "") }} strict-sni {{ end }}
Will this end up putting 'strict-sni' on the same line as 'bind
127.0.0.1'? (Assuming {{-' only removes leading spaces)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#14621 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ANUgeru4Av6pcb7GkeCejd7DVYmB5mhqks5sECwMgaJpZM4N49tj>.
|
|
Evaluated for origin merge up to e8638ae |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/1017/) (Base Commit: 6d961d6) (PR Branch Commit: e8638ae) (Extended Tests: blocker) (Image: devenv-rhel7_6366) |
pecameron
added a commit
to pecameron/openshift-docs
that referenced
this pull request
Jun 16, 2017
Openshift 3.6 By default, when a host does not resolve to a route in a HTTPS or tls sni request, the default cert is returned to the caller as part of the 503 response. This exposes the default cert and may pose security concerns. Haproxy strict-sni option to bind suppresses use of the default cert. This adds a new environment variable to the router deployment controller, ROUTER_STRICT_SNI, to control bind processing. When set to "true" or "TRUE", "strict-sni" is added to the bind. Default is "false". oc adm router --strict-sni sets ROUTER_STRICT_SNI="true" origin PR 14621 openshift/origin#14621 bug 1369865 https://bugzilla.redhat.com/show_bug.cgi?id=1369865
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By default, when a host does not resolve to a route in a HTTPS or tls
sni request, the default cert is returned to the caller as part of the
503 response. This exposes the default cert and may pose security
concerns. Haproxy strict-sni option to bind suppresses use of the
default cert.
This adds a new environment variable to the router deployment controller,
ROUTER_STRICT_SNI, to control bind processing. When set to "true" or
"TRUE", "strict-sni" is added to the bind. Default is "false".
oc adm router --strict-sni sets ROUTER_STRICT_SNI="true"
bug 1369865
https://bugzilla.redhat.com/show_bug.cgi?id=1369865