Hi Grant, On 02/04/2017 12:55 AM, Grant Zhang wrote: > This patch set adds the basic support for OpenSSL crypto engine and > async mode. > > Changes since V2: > - support keyword "algo" > - ensure SSL engines are initialized before loading certs. > - limit one async fd per SSL connection > - better integrate with event cache > > Changes since V1: > - add multiple engine support > - allow default algorithms to be specified for an engine > - remove the support for engine identifier "all" since (a) it is not possible > to specify default algorithms for all engine and (b) "all" makes it hard to > figure out what engine does what crypto algorithms. > - address Willy's other comments. >
Using an engine, if there is an error parsing the configuration, the haproxy stuck on a futex and do not exit: [root@centos ~]# cat haproxy/h.conf global ssl-engine qat # ssl-async tune.ssl.default-dh-param 2048 listen ss mode tcp bind 0.0.0.0:8080 server ssl 127.0.0.1:8443 ssl foobar verify none listen gg mode http bind 0.0.0.0:8443 ssl crt /root/2048.pem redirect location / [root@centos ~]# strace ./haproxy/haproxy -f ./haproxy/h.conf ... write(2, "[ALERT] 073/120342 (2474) : ", 28[ALERT] 073/120342 (2474) : ) = 28 write(2, "Error(s) found in configuration "..., 56Error(s) found in configuration file : ./haproxy/h.conf ) = 56 write(2, "[WARNING] 073/120342 (2474) : ", 30[WARNING] 073/120342 (2474) : ) = 30 write(2, "config : missing timeouts for pr"..., 273config : missing timeouts for proxy 'ss'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. ) = 273 write(2, "[ALERT] 073/120342 (2474) : ", 28[ALERT] 073/120342 (2474) : ) = 28 write(2, "Proxy 'ss', server 'ssl' [./hapr"..., 356Proxy 'ss', server 'ssl' [./haproxy/h.conf:9] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. ) = 356 write(2, "[WARNING] 073/120342 (2474) : ", 30[WARNING] 073/120342 (2474) : ) = 30 write(2, "config : missing timeouts for pr"..., 273config : missing timeouts for proxy 'gg'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. ) = 273 mmap(NULL, 4324792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f14122d0000 write(2, "[ALERT] 073/120342 (2474) : ", 28[ALERT] 073/120342 (2474) : ) = 28 write(2, "Fatal errors found in configurat"..., 37Fatal errors found in configuration. ) = 37 futex(0x1a204a0, FUTEX_WAIT_PRIVATE, 2, NULL