commit e18d4e82862eb5c9b54b89f85d4c3b7c82d7395e
author William Lallemand <wlallemand@haproxy.org> Wed Nov 17 02:59:21 2021 +0100
committer William Lallemand <wlallemand@haproxy.org> Fri Nov 19 03:58:30 2021 +0100
tree 4c642db0def97ddbaa14f63856a6dd387873bde3
parent f673923629ce7b65c14a19c68c7265f82dd4f21b

BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3

When establishing an outboud connection, haproxy checks if the cached
TLS session has the same SNI as the connection we are trying to
resume.

This test was done by calling SSL_get_servername() which in TLSv1.2
returned the SNI. With TLSv1.3 this is not the case anymore and this
function returns NULL, which invalidates any outboud connection we are
trying to resume if it uses the sni keyword on its server line.

This patch fixes the problem by storing the SNI in the "reused_sess"
structure beside the session itself.

The ssl_sock_set_servername() now has a RWLOCK because this session
cache entry could be accessed by the CLI when trying to update a
certificate on the backend.

This fix must be backported in every maintained version, however the
RWLOCK only exists since version 2.4.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bc515cc..42a4772 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4128,8 +4128,10 @@
 	if (!(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) {
 		int len;
 		unsigned char *ptr;
+		const char *sni;
 
 		len = i2d_SSL_SESSION(sess, NULL);
+		sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
 		HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
 		if (s->ssl_ctx.reused_sess[tid].ptr && s->ssl_ctx.reused_sess[tid].allocated_size >= len) {
 			ptr = s->ssl_ctx.reused_sess[tid].ptr;
@@ -4142,6 +4144,18 @@
 			s->ssl_ctx.reused_sess[tid].size = i2d_SSL_SESSION(sess,
 			    &ptr);
 		}
+
+		if (s->ssl_ctx.reused_sess[tid].sni) {
+			/* if the new sni is empty or isn' t the same as the old one */
+			if ((!sni) || strcmp(s->ssl_ctx.reused_sess[tid].sni, sni) != 0) {
+				ha_free(&s->ssl_ctx.reused_sess[tid].sni);
+				if (sni)
+					s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
+			}
+		} else if (sni) {
+			/* if there wasn't an old sni but there is a new one */
+			s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
+		}
 		HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
 	} else {
 		HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
@@ -5163,8 +5177,10 @@
 	if (srv->ssl_ctx.reused_sess) {
 		int i;
 
-		for (i = 0; i < global.nbthread; i++)
+		for (i = 0; i < global.nbthread; i++) {
 			ha_free(&srv->ssl_ctx.reused_sess[i].ptr);
+			ha_free(&srv->ssl_ctx.reused_sess[i].sni);
+		}
 		ha_free(&srv->ssl_ctx.reused_sess);
 	}
 
@@ -6555,22 +6571,26 @@
 {
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 	struct ssl_sock_ctx *ctx;
-
+	struct server *s;
 	char *prev_name;
 
 	if (!conn_is_ssl(conn))
 		return;
 	ctx = conn->xprt_ctx;
+	s = __objt_server(conn->target);
 
 	/* if the SNI changes, we must destroy the reusable context so that a
-	 * new connection will present a new SNI. As an optimization we could
-	 * later imagine having a small cache of ssl_ctx to hold a few SNI per
-	 * server.
-	 */
-	prev_name = (char *)SSL_get_servername(ctx->ssl, TLSEXT_NAMETYPE_host_name);
+	 * new connection will present a new SNI. compare with the SNI
+	 * previously stored in the reused_sess */
+	/* the RWLOCK is used to ensure that we are not trying to flush the
+	 * cache from the CLI */
+
+	HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
+	prev_name = s->ssl_ctx.reused_sess[tid].sni;
 	if ((!prev_name && hostname) ||
 	    (prev_name && (!hostname || strcmp(hostname, prev_name) != 0)))
 		SSL_set_session(ctx->ssl, NULL);
+	HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
 
 	SSL_set_tlsext_host_name(ctx->ssl, hostname);
 #endif