HAproxy and varnish misreport the authentication mechanism used in TLSv1.3 traffic
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Vgutierrez
	Sep 26 2024, 7:20 AM

Description

using openssl s_client to force the usage of the RSA certificate with TLSv1.3:

vgutierrez@traffic-cache-upload-bullseye:~$ echo -e "GET /\r\nHost: 127.0.0.1:443\r\n\r\n" | openssl s_client -tls1_3 -sigalgs "RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1"  -connect 127.0.0.1:443 2>&1 |grep -i "Peer Signature Type"
Peer signature type: RSA-PSS

haproxy sends the following x-analytics-tls header:

ReqHeader      x-analytics-tls: vers=TLSv1.3;keyx=unknown;auth=ECDSA;ciph=AES-256-GCM-SHA384;prot=h1;sess=new

for varnish the same issue is there given that it's only using X-Connection-Properties header and right now it attempts to infer the authentication mechanism from the ciphersuite and that's no longer possible with TLSv1.3

Details

Subject	Repo	Branch	Lines +/-
varnish: Use XCP KA field to report TLS auth data	operations/puppet	production	+26 -18
haproxy: Fix XCP value syntax	operations/puppet	production	+1 -1
haproxy: Fix RSA usage reporting for TLSv1.3	operations/puppet	production	+4 -4
varnish: Prepare for KA field on X-Connection-Properties	operations/puppet	production	+17 -2

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		In Progress		BCornwall	T370837 Remove RSA certificates and use only ECDSA certificates
		Resolved		Vgutierrez	T375711 HAproxy and varnish misreport the authentication mechanism used in TLSv1.3 traffic

Event Timeline

Vgutierrez created this task.Sep 26 2024, 7:20 AM

Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptSep 26 2024, 7:20 AM

Vgutierrez triaged this task as High priority.Sep 26 2024, 7:21 AM

Vgutierrez moved this task from Backlog to Traffic team actively servicing on the Traffic board.

Vgutierrez renamed this task from HAproxy misreports the authentication mecanism in TLSv1.3 traffic to HAproxy and varnish misreport the authentication mechanism used in TLSv1.3 traffic.Sep 26 2024, 7:40 AM

Vgutierrez updated the task description. (Show Details)

Change #1075849 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] varnish: Prepare for KA field on X-Connection-Properties

https://gerrit.wikimedia.org/r/1075849

gerritbot added a project: Patch-For-Review.Sep 26 2024, 8:21 AM

Change #1075853 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] haproxy: Fix RSA usage reporting for TLSv1.3

https://gerrit.wikimedia.org/r/1075853

Change #1075858 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] varnish: Use XCP KA field to report TLS auth data

https://gerrit.wikimedia.org/r/1075858

Change #1075849 merged by Vgutierrez:

[operations/puppet@production] varnish: Prepare for KA field on X-Connection-Properties

https://gerrit.wikimedia.org/r/1075849

Change #1075853 merged by Vgutierrez:

[operations/puppet@production] haproxy: Fix RSA usage reporting for TLSv1.3

https://gerrit.wikimedia.org/r/1075853

Change #1075880 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] haproxy: Fix XCP value syntax

https://gerrit.wikimedia.org/r/1075880

Change #1075880 merged by Vgutierrez: