2

I try to use haproxy to proxy requests to an old LDAP server with really outdated SSL/ciphers .. but ldapsearch always returns an error:

ldap_result: Can't contact LDAP server (-1)

Here is my haproxy config:

global
    log stdout  format raw  local0  debug

frontend ldap-636
  bind 0.0.0.0:636 ssl crt /cert.pem no-sslv3 no-tlsv10 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  mode tcp
  option socket-stats
  option tcplog
  option tcpka
  timeout client 10s
  default_backend ldap-636-origin

backend ldap-636-origin
  log stdout  format raw  local0  debug
  server DC-NODE-01 172.16.17.77:636 no-check ciphers ALL:NULL:eNULL:aNULL:RC4-MD5:@SECLEVEL=0 ca-file /ca-certificates/ca-cert.pem
  #server DC-NODE-01 172.16.17.77:389 check fall 3 rise 2 inter 5000 weight 10
  mode tcp
  stick-table type ip size 200k expire 30m
  timeout server 12s
  timeout tunnel 10s
  timeout connect 10s

The backend server uses SSLv3/TLSv1.0 and RC4-MD5 ciphers. I first tried to use the official Docker Build of haproxy, but the OpenSSL shipped in the container is not compiled with support for these old ciphers. I patched the Dockerfile of haproxy and built my own image, including a self compiled version of openssl with support for the old ciphers:

# vim:set ft=dockerfile:
FROM alpine:3.11

ENV HAPROXY_VERSION 2.1.2
ENV HAPROXY_URL https://www.haproxy.org/download/2.1/src/haproxy-2.1.2.tar.gz
ENV HAPROXY_SHA256 6079b08a8905ade5a9a2835ead8963ee10a855d8508a85efb7181eea2d310b77

# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
RUN set -x \
    \
    && apk add --no-cache --virtual .build-deps \
        ca-certificates \
        gcc \
                perl \
        libc-dev \
        linux-headers \
        lua5.3-dev \
        make \
        pcre2-dev \
        readline-dev \
        tar \
        zlib-dev \
    libxml2-dev 


RUN wget https://www.openssl.org/source/openssl-1.1.0l.tar.gz \
  && tar -zxvf openssl-1.1.0l.tar.gz


RUN cd openssl-1.1.0l/ && ./config --prefix=/usr/local --openssldir=/etc/ssl --libdir=lib \
      shared enable-weak-ssl-ciphers enable-ssl3 enable-tls1 enable-deprecated enable-rc4 enable-ssl3-method -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
RUN cd openssl-1.1.0l/ && make 
RUN cd openssl-1.1.0l/ && make install

RUN  wget -O haproxy.tar.gz "$HAPROXY_URL" \
    && echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c \
    && mkdir -p /usr/src/haproxy \
    && tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1 \
    && rm haproxy.tar.gz \
    \
    && makeOpts=' \
        TARGET=linux-glibc \
        USE_GETADDRINFO=1 \
        USE_LUA=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 \
        USE_OPENSSL=1 SSL_INC=/usr/local/include SSL_LIB=/usr/local/lib ADDLIB=-ldl \
        USE_PCRE2=1 USE_PCRE2_JIT=1 \
        USE_ZLIB=1 \
        \
        EXTRA_OBJS=" \
# see https://github.com/docker-library/haproxy/issues/94#issuecomment-505673353 for more details about prometheus support
            contrib/prometheus-exporter/service-prometheus.o \
        " \
    ' \
    && nproc="$(getconf _NPROCESSORS_ONLN)" \
    && eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts" \
    && eval "make -C /usr/src/haproxy install-bin $makeOpts" \
    \
    && mkdir -p /usr/local/etc/haproxy \
    && cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors \
    && rm -rf /usr/src/haproxy \
    \
    && runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
            | tr ',' '\n' \
            | sort -u \
            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
    )" \
    && apk add --no-network --virtual .haproxy-rundeps $runDeps \
    && apk del --no-network .build-deps

# https://www.haproxy.org/download/1.8/doc/management.txt
# "4. Stopping and restarting HAProxy"
# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
STOPSIGNAL SIGUSR1

ENV LDAPTLS_REQCERT=never

COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]

(I did not use the newest openssl version because it did not compile in the container)

Still, I can't get haproxy to connect to the ldap server. I can verify the openssl connection to the old LDAP server from inside the container:

openssl s_client -cipher "ALL:NULL:RC4-MD5:@SECLEVEL=0" -connect 172.16.17.77:636 -ssl3 -CAfile ...

haproxy is not very chatty about the actual problem with the connection (I get no log output).

But .. if I change the haproxy config to use the unencrypted connection to the LDAP server it works instantly.

Does anybody has any hint for me what this could be or how I can debug this further?

ds82
  • 21
  • 2

0 Answers0