httpd.conf configuration mismatch when setting ticket lifetime w/ servers sharing a cert

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd.conf configuration mismatch when setting ticket lifetime w/ servers sharing a cert

Landry Breuil-5
Hi,

on ftp.fr we use httpd on 6.2.

The config more or less looks like:

server "default" {
        alias distfiles.bsdfrog.org
        listen on egress port www
        location "/*" {
                block return 301 "https://$SERVER_NAME$REQUEST_URI"
        }

}

server "distfiles.bsdfrog.org" {
        listen on egress tls port https
        root "/distfiles"
#       tls ticket lifetime 1800
        tls certificate "/etc/ssl/pond.obspm.bsdfrog.org.crt"
        tls key "/etc/ssl/private/pond.obspm.bsdfrog.org.key"
}

server "ftp.fr.openbsd.org" {
        listen on egress port www
        listen on egress tls port https
        root "/mirror/ftp"
#       tls ticket lifetime 1800
        tls certificate "/etc/ssl/pond.obspm.bsdfrog.org.crt"
        tls key "/etc/ssl/private/pond.obspm.bsdfrog.org.key"
}


Which works fine with https on the different vhosts. But as soon as i uncomment
the tls ticket lifetime lines, httpd -nvv complains about configuration
mismatch:

server_tls_load_keypair: using certificate /etc/ssl/pond.obspm.bsdfrog.org.crt
server_tls_load_keypair: using private key /etc/ssl/private/pond.obspm.bsdfrog.org.key
/etc/httpd.conf:37: server "ftp.fr.openbsd.org": tls configuration mismatch on same address/port

which comes from
https://github.com/openbsd/src/blob/master/usr.sbin/httpd/parse.y#L319 - and
there i dont see what could mismatch here.. broken comparison on integers ?
same thing with 'default' for the value (without quotes) or

tls {
 ticket lifetime 1800
 certificate "/etc/ssl/pond.obspm.bsdfrog.org.crt"
 key "/etc/ssl/private/pond.obspm.bsdfrog.org.key"
}

which afaiui should be equivalent. Of course the ssl cert has all the necessary
altnames.

Anyone having a clue ? Running a similar config without issue ?

Landry

Reply | Threaded
Open this post in threaded view
|

Re: httpd.conf configuration mismatch when setting ticket lifetime w/ servers sharing a cert

Landry Breuil-5
On Fri, Feb 09, 2018 at 07:54:22PM +0100, Landry Breuil wrote:

> Hi,
>
> on ftp.fr we use httpd on 6.2.
>
> The config more or less looks like:
>
> server "default" {
>         alias distfiles.bsdfrog.org
>         listen on egress port www
>         location "/*" {
>                 block return 301 "https://$SERVER_NAME$REQUEST_URI"
>         }
>
> }
>
> server "distfiles.bsdfrog.org" {
>         listen on egress tls port https
>         root "/distfiles"
> #       tls ticket lifetime 1800
>         tls certificate "/etc/ssl/pond.obspm.bsdfrog.org.crt"
>         tls key "/etc/ssl/private/pond.obspm.bsdfrog.org.key"
> }
>
> server "ftp.fr.openbsd.org" {
>         listen on egress port www
>         listen on egress tls port https
>         root "/mirror/ftp"
> #       tls ticket lifetime 1800
>         tls certificate "/etc/ssl/pond.obspm.bsdfrog.org.crt"
>         tls key "/etc/ssl/private/pond.obspm.bsdfrog.org.key"
> }
>
>
> Which works fine with https on the different vhosts. But as soon as i uncomment
> the tls ticket lifetime lines, httpd -nvv complains about configuration
> mismatch:
>
> server_tls_load_keypair: using certificate /etc/ssl/pond.obspm.bsdfrog.org.crt
> server_tls_load_keypair: using private key /etc/ssl/private/pond.obspm.bsdfrog.org.key
> /etc/httpd.conf:37: server "ftp.fr.openbsd.org": tls configuration mismatch on same address/port

I think i've found the bug - it manifests only if there are 3 server
definitions sharing a cert, not with 2. Will dig further.

Landry

Reply | Threaded
Open this post in threaded view
|

Re: httpd.conf configuration mismatch when setting ticket lifetime w/ servers sharing a cert

Landry Breuil-5
On Fri, Feb 09, 2018 at 09:40:33PM +0100, Landry Breuil wrote:
> On Fri, Feb 09, 2018 at 07:54:22PM +0100, Landry Breuil wrote:
> > Hi,

I think i found it with some printf-debugging...

If the default vhost has no tls config, and any of the other vhosts has some
non-default tls config (for protocols, ticket, dhe, ciphers..), the
server_match() function will return the default vhost for 's', and then parse.y
inconditionally compares the tls config for s and the current server - as the
default vhost has no tls config, of course they wont match.

My idea would be to compare the tls configs only if the default vhost has a tls
config.. but i'm not sure that's the way to go, since i'm not sure i understand
the rationale about comparing tls configs. Any httpd/ssl experts ? joel, i
think it is this way since r1.79...

With this diff, i can validate a config that would previously error out. I'm not
sure this is the way to go of course.

Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.92
diff -u -r1.92 parse.y
--- parse.y     28 Aug 2017 06:00:05 -0000      1.92
+++ parse.y     9 Feb 2018 22:40:20 -0000
@@ -316,7 +316,8 @@
                                        free(srv);
                                        YYERROR;
                                }
-                               if (server_tls_cmp(s, srv, 0) != 0) {
+                               if ((s->srv_conf.flags & SRVFLAG_TLS) &&
+                                   (server_tls_cmp(s, srv, 0) != 0)) {
                                        yyerror("server \"%s\": tls "
                                            "configuration mismatch on same "
                                            "address/port",

Landry

Reply | Threaded
Open this post in threaded view
|

Re: httpd.conf configuration mismatch when setting ticket lifetime w/ servers sharing a cert

Anton Lindqvist-2
On Sat, Feb 10, 2018 at 12:02:07AM +0100, Landry Breuil wrote:

> On Fri, Feb 09, 2018 at 09:40:33PM +0100, Landry Breuil wrote:
> > On Fri, Feb 09, 2018 at 07:54:22PM +0100, Landry Breuil wrote:
> > > Hi,
>
> I think i found it with some printf-debugging...
>
> If the default vhost has no tls config, and any of the other vhosts has some
> non-default tls config (for protocols, ticket, dhe, ciphers..), the
> server_match() function will return the default vhost for 's', and then parse.y
> inconditionally compares the tls config for s and the current server - as the
> default vhost has no tls config, of course they wont match.
>
> My idea would be to compare the tls configs only if the default vhost has a tls
> config.. but i'm not sure that's the way to go, since i'm not sure i understand
> the rationale about comparing tls configs. Any httpd/ssl experts ? joel, i
> think it is this way since r1.79...
>
> With this diff, i can validate a config that would previously error out. I'm not
> sure this is the way to go of course.

Haven't been able to figure out the correct solution yet. But, swapping
the two listen directives for ftp.fr.openbsd.org makes configuration
valid. Doing this will cause the HTTP host to be treated as a host alias
internally, as opposed of treating the HTTPS host as an alias.