From 93cc23a35561cd89b353143d20962dd86aa82a9c Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 5 Jun 2024 11:37:14 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration The ClientHello Callback which is used for certificate selection uses both the signature algorithms and the ciphers sent by the client. However, when a client is announcing both ECDSA and RSA capabilities with ECSDA ciphers that are not available on haproxy side and RSA ciphers that are compatibles, the ECDSA certificate will still be used but this will result in a "no shared cipher" error, instead of a fallback on the RSA certificate. For example, a client could send 'ECDHE-ECDSA-AES128-CCM:ECDHE-RSA-AES256-SHA and HAProxy could be configured with only 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA'. This patch fixes the issue by validating that at least one ECDSA cipher is available on both side before chosing the ECDSA certificate. This must be backported on all stable versions. --- src/ssl_sock.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index e6bf3ff179ad..94f950e489d0 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2268,10 +2268,14 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) } if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a ECDSA cipher */ const SSL_CIPHER *cipher; + STACK_OF(SSL_CIPHER) *ha_ciphers; /* haproxy side ciphers */ uint32_t cipher_id; size_t len; const uint8_t *cipher_suites; + + ha_ciphers = SSL_get_ciphers(ssl); has_ecdsa_sig = 0; + #ifdef OPENSSL_IS_BORINGSSL len = ctx->cipher_suites_len; cipher_suites = ctx->cipher_suites; @@ -2290,6 +2294,10 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) if (!cipher) continue; + /* check if this cipher is available in haproxy configuration */ + if (sk_SSL_CIPHER_find(ha_ciphers, cipher) == -1) + continue; + cipher_id = SSL_CIPHER_get_id(cipher); /* skip the SCSV "fake" signaling ciphersuites because they are NID_auth_any (RFC 7507) */ if (cipher_id == SSL3_CK_SCSV || cipher_id == SSL3_CK_FALLBACK_SCSV)