On Wed, Nov 09, 2016 at 11:44:41AM +0200, Apollon Oikonomopoulos wrote: > Hi Willy, Dirkjan, > > On 21:12 Tue 08 Nov , Willy Tarreau wrote: > > Hi Dirkjan, > > > > I finally merged your patch after discussing with Emeric. He's fine with > > it as well. > > Thanks for this. Is it too much of a hassle to ask for a 1.6 backport?
Given that it breaks support for older versions (0.9.8 at least), for now it's out of question. And it has received only limited testing. If we manage to stabilise the patch to properly handle all versions where 1.6 currently works, then maybe the question could be reconsidered. > We currently have a release-critical bug in Debian for OpenSSL 1.1 > compatibility[1], so it would greatly help us. I could go ahead and try > to make a backport myself, however I admit I'm a bit reluctant to touch > OpenSSL-related code at this point. You should definitely avoid it, the testing is insufficient for now. Another, better option would be to upgrade the haproxy package to 1.7 for the next debian release so that it matches the new openssl version as well. There are (too) few changes in 1.7 compared to 1.6, it mostly accumulated all the fixes that resulted from the bugs coming with the new architecture brought in 1.6. I consider 1.7 almost as stable as 1.6, and will encourage users to upgrade. I don't know how much time left you have to decide on a version for a new distro (I don't know the process at all). Thanks, Willy
