problems with TLS offload - unexpected CSTP length

Wed Dec 9 03:13:04 PST 2015

Hello,

we have a problems with TLS offload using HaProxy:

ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 440 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 56 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 440 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 56 byte(s)
ocserv[64521]: worker[vpn_name]: [SOME_IP] received 60 byte(s) (TLS)
ocserv[64521]: worker[vpn_name]: [SOME_IP] writing 52 byte(s) to TUN
ocserv[64521]: worker[vpn_name]: [SOME_IP] received 1070 byte(s) (TLS)
ocserv[64521]: worker[vpn_name]: [SOME_IP] unexpected CSTP length (have 52, should be 1062)
ocserv[64521]: worker[vpn_name]: [SOME_IP] worker-vpn.c:1094: error parsing CSTP data
ocserv[64521]: worker[vpn_name]: [SOME_IP] sending message 'sm: cli stats' to secmod
ocserv[64521]: worker[vpn_name]: [SOME_IP] sent periodic stats (in: 52, out: 1984) to sec-mod

Everything is OK if we switch off TLS offload (haproxy TCP mode & server "localhost:4443").

Here are the configuration:

##ocserv.conf
...
listen-clear-file = /var/lib/haproxy/oc_vpn
listen-proxy-proto = true       
tcp-port = 4443 
udp-port = 4443
...                                                                                                                                                                                                                                          

#TLS offloaded
## haproxy.conf
...
defaults
    mode http
    timeout connect 10s
    timeout http-request 10s
    timeout http-keep-alive 15s
    timeout client 300s
    timeout server 300s
    timeout queue 90s
    timeout tunnel 1500s 
....

frontend http 
  bind 0.0.0.0:443 tfo npn http/1.1 ssl crt /etc/ssl/server.both force-tlsv12
  reqadd X-Forwarded-Proto:\ https
  acl is_vpn_prefix path_beg -i /hebs-tln
  reqirep POST\ /hebs-tln POST\ / if is_vpn_prefix
  default_backend vpn_http

backend vpn_http
  server socket unix at oc_vpn send-proxy-v2
....

## Working HaProxy configuration
## no TLS offload
..
frontend tcp 
mode tcp
  bind 0.0.0.0:443 tfo npn http/1.1 
  default_backend vpn_tcp

backend vpn_tcp
mode tcp
  server  localhost:4443 localhost:4443 send-proxy-v2
..

---
Best regards,
Eugene Istomin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20151209/3a99770e/attachment.sig>