External SSL termination

Alexander Rumyantsev alexander at rumyantsev.com
Tue Sep 23 02:32:13 PDT 2014

23 сент. 2014 г., в 13:08, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> написал(а):

> On Tue, Sep 23, 2014 at 8:42 AM, Alexander Rumyantsev
> <alexander at rumyantsev.com> wrote:
>> Hi!
>> I have ocserv running on RHEL 6.5 and openconnect on OS X 10.9+macports
>> Recently I decided to hide ocserv behind haproxy to separate anyconnect connections from browser connections by User-Agent header.
>> But i couldn't establish connection due to following error: "SSL connection failure: curve not supported"
>> I think that's because of RHEL ships with hobbled OpenSSL (against of which haproxy was built) with very limited elliptic curves support due to RH Legal patent fears.
>> Don't even know how to deal with this, or even it worth of dealing.
> Note that there is also sniproxy, which does not terminate but
> forwards correctly the SSL sessions based on the server name present
> on client hello.
>> P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv.
> Do you have some more information on that? Is there a known "protocol"
> to forward SSL connections to another process which listens to unix
> sockets? It would be even more interesting if there was not any
> termination at all and the SSL session was forwarded as is (e.g., via
> file descriptor passing).

I mean pure external SSL termination. I understand, that it limits functionality of ocserv, but in some cases it seems useful to me.
That’s how I see this: openconnect establishes ssl-session with haproxy, which, in its order, establishes pure http session without SSL/TLS with ocserv as a backend through unix socket.

Once again, I want to share IP-address and standard 443 port between ocserv and http-server, using User-Agent http header as a distinguisher.
By now, if haproxy determines OpenConnect/AnyConnect client, it makes an SSL connection to backend, ocserv. It works, but I think it’s a useless CPU overhead in my case.
In case of browser connection, haproxy establishes http session with nginx by unix socket, acting as SSL terminator for http-server.

Haproxy, in TCP mode, of course, can forward SSL session, but in this case I cannot route requests to different backends based on HTTP information.

> regards,
> Nikos

More information about the openconnect-devel mailing list