Hi Grant,
On 02/04/2017 12:55 AM, Grant Zhang wrote:
> This patch set adds the basic support for OpenSSL crypto engine and
> async mode.
>
> Changes since V2:
> - support keyword "algo"
> - ensure SSL engines are initialized before loading certs.
> - limit one async fd per SSL connection
> - better integrate with event cache
>
> Changes since V1:
> - add multiple engine support
> - allow default algorithms to be specified for an engine
> - remove the support for engine identifier "all" since (a) it is not possible
> to specify default algorithms for all engine and (b) "all" makes it hard to
> figure out what engine does what crypto algorithms.
> - address Willy's other comments.
>
Using an engine, if there is an error parsing the configuration, the haproxy
stuck on a futex and do not exit:
[root@centos ~]# cat haproxy/h.conf
global
ssl-engine qat
# ssl-async
tune.ssl.default-dh-param 2048
listen ss
mode tcp
bind 0.0.0.0:8080
server ssl 127.0.0.1:8443 ssl foobar verify none
listen gg
mode http
bind 0.0.0.0:8443 ssl crt /root/2048.pem
redirect location /
[root@centos ~]# strace ./haproxy/haproxy -f ./haproxy/h.conf
...
write(2, "[ALERT] 073/120342 (2474) : ", 28[ALERT] 073/120342 (2474) : ) = 28
write(2, "Error(s) found in configuration "..., 56Error(s) found in
configuration file : ./haproxy/h.conf
) = 56
write(2, "[WARNING] 073/120342 (2474) : ", 30[WARNING] 073/120342 (2474) : ) =
30
write(2, "config : missing timeouts for pr"..., 273config : missing timeouts
for proxy 'ss'.
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
) = 273
write(2, "[ALERT] 073/120342 (2474) : ", 28[ALERT] 073/120342 (2474) : ) = 28
write(2, "Proxy 'ss', server 'ssl' [./hapr"..., 356Proxy 'ss', server 'ssl'
[./haproxy/h.conf:9] verify is enabled by default but no CA file specified. If
you're running on a LAN where you're certain to trust the server's certificate,
please set an explicit 'verify none' statement on the 'server' line, or use
'ssl-server-verify none' in the global section to disable server-side
verifications by default.
) = 356
write(2, "[WARNING] 073/120342 (2474) : ", 30[WARNING] 073/120342 (2474) : ) =
30
write(2, "config : missing timeouts for pr"..., 273config : missing timeouts
for proxy 'gg'.
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
) = 273
mmap(NULL, 4324792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f14122d0000
write(2, "[ALERT] 073/120342 (2474) : ", 28[ALERT] 073/120342 (2474) : ) = 28
write(2, "Fatal errors found in configurat"..., 37Fatal errors found in
configuration.
) = 37
futex(0x1a204a0, FUTEX_WAIT_PRIVATE, 2, NULL
