co-hosting ocserv and https on the same port.

Sun Jan 11 05:49:58 PST 2015

Hi Nikos,

I'm using req.ssl_sni directives with haproxy, on tcp mode. Myconfiguration is:

frontend port-443
        bind 0.0.0.0:443
        mode tcp

        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }

        default_backend tls-out

backend tls-out
        mode tcp

        stick-table type binary len 32 size 30k expire 24h
        option tcplog
        acl clienthello req_ssl_hello_type 1
        acl serverhello rep_ssl_hello_type 2
        acl 0_ocserv req.ssl_sni -i sslvpn.<hostname>
        acl 1_nginx  req.ssl_sni -i blog.<hostname>
        acl 2_ipaddr req.ssl_sni -i <ipaddr>
        stick on payload_lv(43,1) if clienthello
        stick on payload_lv(43,1) if clienthello

        use-server ocserv if 0_ocserv or 2_ipaddr
        use-server nginx if 1_nginx

        server ocserv 127.0.0.1:8443
        server nginx 127.0.0.1:7443

However, this only work with OpenConnect client, the reason behind this is lack of stickiness in configuration. As you can see in the log. This problem could be about the stickiness,  or some other magic.
excerpts from log.

2015-01-11 21:29 POST https://<elided hostname>/
2015-01-11 21:29 Attempting to connect to server <elided ipaddr>:443
2015-01-11 21:29 Using certificate file C:/Program Files (x86)/OpenConnect/tmp-certae9960
2015-01-11 21:29 Using private key file C:/Program Files (x86)/OpenConnect/tmp-keylN9960
2015-01-11 21:29 Using client certificate 'mordor'
2015-01-11 21:29 SSL negotiation with <elided hostname>
2015-01-11 21:29 Server certificate verify failed: certificate does not match hostname
2015-01-11 21:29 Connected to HTTPS on <elided hostname>
2015-01-11 21:29 Got HTTP response: HTTP/1.1 200 OK
2015-01-11 21:29 Connection: Keep-Alive
2015-01-11 21:29 Content-Type: text/xml
2015-01-11 21:29 Content-Length: 189
2015-01-11 21:29 X-Transcend-Version: 1
2015-01-11 21:29 Set-Cookie: webvpn=<elided>; Secure
2015-01-11 21:29 Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
2015-01-11 21:29 Set-Cookie: webvpnc=<some sensitive information>; path=/; Secure
2015-01-11 21:29 HTTP body length:  (189)
2015-01-11 21:29 XML POST enabled
2015-01-11 21:29 SSL negotiation with <elided hostname>
2015-01-11 21:29 Server certificate verify failed: certificate does not match hostname
2015-01-11 21:29 Connected to HTTPS on <elided hostname>
2015-01-11 21:29 Got CONNECT response: HTTP/1.1 200 CONNECTED
2015-01-11 21:29 X-CSTP-Version: 1
2015-01-11 21:29 X-CSTP-DPD: 90
2015-01-11 21:29 X-CSTP-Address: 10.88.0.223
2015-01-11 21:29 X-CSTP-Netmask: 255.255.255.0
2015-01-11 21:29 X-CSTP-DNS: 8.8.8.8
2015-01-11 21:29 X-CSTP-DNS: 8.8.4.4
2015-01-11 21:29 X-CSTP-Keepalive: 32400
2015-01-11 21:29 X-CSTP-Idle-Timeout: none
2015-01-11 21:29 X-CSTP-Smartcard-Removal-Disconnect: true
2015-01-11 21:29 X-CSTP-Rekey-Time: 86400
2015-01-11 21:29 X-CSTP-Rekey-Method: ssl
2015-01-11 21:29 X-CSTP-Session-Timeout: none
2015-01-11 21:29 X-CSTP-Disconnected-Timeout: none
2015-01-11 21:29 X-CSTP-Keep: true
2015-01-11 21:29 X-CSTP-TCP-Keepalive: true
2015-01-11 21:29 X-CSTP-Tunnel-All-DNS: false
2015-01-11 21:29 X-CSTP-License: accept
2015-01-11 21:29 X-DTLS-MTU: 1360
2015-01-11 21:29 X-CSTP-MTU: 1360
2015-01-11 21:29 X-CSTP-Split-Exclude: 192.168.0.0/255.255.0.0
2015-01-11 21:29 X-CSTP-Base-MTU: 1500
2015-01-11 21:29 X-DTLS-Session-ID: d79952578d4f3effb84dce4dd9ee7e0128128ddd4bb72304ec1d848f22d18799
2015-01-11 21:29 X-DTLS-DPD: 90
2015-01-11 21:29 X-DTLS-Port: 443
2015-01-11 21:29 X-DTLS-Rekey-Time: 86410
2015-01-11 21:29 X-DTLS-Rekey-Method: ssl
2015-01-11 21:29 X-DTLS-Keepalive: 32400
2015-01-11 21:29 X-DTLS-CipherSuite: OC-DTLS1_2-AES128-GCM
2015-01-11 21:29 X-DTLS-MTU: 1434
2015-01-11 21:29 X-CSTP-MTU: 1434
2015-01-11 21:29 CSTP connected. DPD 90, Keepalive 32400
2015-01-11 21:29 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP192R1)-(AES-128-GCM)
2015-01-11 21:29 Opened tun device Local Area Connection
2015-01-11 21:29 TAP-Windows driver v9.21 (0)

as for anyconnect, its appears to be connected to random random backends (receiving different certs), I think it's because it connects to the IP directly, and req.ssl_sni doesn't take ip addresses as valid parameters.
on the server side (i configured the client correctly, though):
Jan 11 21:03:06 tokyo1 ocserv[3072]: GnuTLS error (at worker-vpn.c:749): The TLS connection was non-properly terminated.

Warm regards,

Quan

----------------------------------------
> Subject: Re: co-hosting ocserv and https on the same port.
> From: nmav at gnutls.org
> To: qzhou at live.de
> Date: Sun, 11 Jan 2015 11:07:22 +0100
> CC: openconnect-devel at lists.infradead.org
>
> On Sun, 2015-01-11 at 08:26 +0000, Quan Zhou wrote:
>> Hi,
>>
>> I've tried to follow the HAProxy part of the ( http://www.infradead.org/ocserv/multihost.html ) guide, but it wasn't complete, the parts for https server is missing. So I started "trial and error".
>> finally I got a working HAProxy configuration. It works with certificate mode (ssl terminated at ocserv), but I've got a small problem, how am I supposed to let ocserv listen-encrypted on unix socket? (contrary to the listen-cleartext). Thanks!
>
> As it is now you can only listen unencrypted to the unix socket. You can
> forward to the tcp port though, which you already did.
>
> However your example shows that you are using SSL termination on ocserv
> (method 2), rather than method 1. Would you like to write some text on
> how to support method 2 with haproxy to be added in multihost.html?
>
> regards,
> Nikos
>
>
>
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel