Hi,
HAProxy 3.3-dev10 was released on 2025/10/18. It added 77 new commits
after version 3.3-dev9.
This is another version which is quite rich in bug fixes (3 major and
8 medium).
Some visible bug fixes include:
- 2 crashing bugs in QUIC were addressed, with one on the backend
- the consistent hash key calculation mismatch affecting "hash-key id"
(the default one) that was reported recently was fixed. Those affected
by this issue appearing in 3.0 will temporarily observe a redistribution
of the cache keys and possibly an increased load on the backend servers
during the redistribution. Better upgrade all nodes at once, though.
- since 3.1, it's possible to declare thread groups with non-existing
threads. This causes serious problems at run time with connections
that are never served or with crashes. The fix will cause non-existing
threads to be evicted from thread groups, and any empty groups will
cause an error to be emitted. This only happens when thread groups
have been manually assigned wrong values, but it could happen when
validating a config for a different machine.
- for about 2 years we've observed a slow leak of ssl-captures on
haproxy.org, which made us believe that some calls to the free()
callback were sometimes missing in the SSL lib in a situation we
couldn't understand. It's actually not the case, it's that with TLS
1.3 a client can send two ClientHello messages, and the code used by
captures never expected this, so the element it used to allocate in
the first one was lost forever if a second hello appeared. If you're
seeing a lot of "ssl-capture" entries in "show pools", expect these
ones to be fixed with 3.3-dev10.
Among the other noteworthy changes, I'm seeing:
- option abortonclose now turned on by default for HTTP proxies
and TLS listeners, as previously discussed here. It is still
possible to disable it using "no option abortonclose", but I don't
expect anyone to use this on exposed environments since what is
detected is the closure of a connection from a client that's no
longer interested in a response.
- the internal HTX "extra" field was finally moved. This thing which
tracks the amount of data left to be forwarded in each direction
has been placed in the HTX buffer for a long time, always bothering
is because it requires specific care that is quite error-prone. It
could now be moved to the stream descriptors as was planned when
they were designed, allowing to simplify the logic at certain places.
Nobody should notice anything but in the very unlikely case where
anyone would encounter truncated responses or freezes during transfers,
please lets us know.
- experimental directives require the expose-experimental-directives
option to be set. The problem is that once they're no longer
experimental, the option remains and nobody notices, at the risk of
enabling other experimental features without being aware of their
experimental status. In order to address this, now the option will
trigger a warning if it's present and not used. This means that when
the only experimental feature you're using is no longer experimental,
a warning will remind you about getting rid of that option to keep
your config safe.
- the jwt_verify() converter no longer accepts a certificate as the
key, but only a public key path. Instead a dedicted jwt_verify_cert()
converter was added to use a certificate. This now allows to manage
JWT certs from the CLI (add/del/show) and to merge JWT certificate
management with the rest of the certificates. A new "jwt" status
appears on "show ssl cert" to indicate it's used by JWT.
- the local copy of the mjson library was trimmed from the unused code
that's meant to be used by encoding. The code is now much smaller,
around 300 lines. The code still needs to be properly reindented and
cleaned up for easier maintenance. It definitely deserves more love,
because it's simple and easy enough to understand once reformatted.
The rest is a number of regtest improvements, cleanups and doc updates.
We're two weeks from the feature freeze, so expect a dev11 in two weeks
then mostly only fixes. Please do run tests, not just to verify the
absence of bugs but also to verify that the way features are used and
configured suits your needs, as it's not too late to adjust config
settings for example.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (2):
BUG/MINOR: quic: check applet_putchk() for 'show quic' first line
TESTS: quic: fix uninit of quic_cc_path const member
Aurelien DARRAGON (1):
BUG/MINOR: sink: retry attempt for sft server may never occur
Christopher Faulet (20):
BUG/MINOR: http-ana: Reset analyse_exp date after 'wait-for-body' action
MINOR: h3/qmux: Set QC_SF_UNKNOWN_PL_LENGTH flag on QCS when headers are
sent
MINOR: stconn: Add two fields in sedesc to replace the HTX extra value
MINOR: h1-htx: Increment body len when parsing a payload with no xfer
length
MINOR: mux-h1: Set known input payload length during demux
MINOR: mux-fcgi: Set known input payload length during demux
MINOR: mux-h2: Use <body_len> H2S field for payload without content-length
MINOR: mux-h2: Set known input payload length of the sedesc
MINOR: h3: Set known input payload length of the sedesc
MINOR: stconn: Move data from kip to kop when data are sent to the
consumer
MINOR: filters: Reset knwon input payload length if a data filter is used
MINOR: hlua/http-fetch: Use <kip> instead of HTX extra field to get body
size
MINOR: cache: Use the <kip> value to check too big objects
MINOR: compression: Use the <kip> value to check body size
MEDIUM: mux-h1: Stop to use HTX extra value when formatting message
MEDIUM: htx: Remove the HTX extra field
BUG/MEDIUM: stconn: Properly forward kip to the opposite SE descriptor
MEDIUM: applet: Forward <kip> to applets
DEBUG: mux-h1: Dump <kip> and <kop> values with sedesc info
BUG/MEDIUM: apppet: Improve spinning loop detection with the new API
Frederic Lecaille (4):
TESTS: quic: useless param for b_quic_dec_int()
BUG/MAJOR: quic: uninitialized quic_conn_closed struct members
BUG/MAJOR: quic: do not reset QUIC backends fds in closing state
BUG/MINOR: quic: SSL counters not handled
Olivier Houchard (2):
BUG/MEDIUM: connections: Only avoid creating a mux if we have one
BUG/MEDIUM: stick-tables: Don't forget to dec count on failure.
Remi Tricot-Le Breton (12):
BUG/MINOR: ssl: Free global_ssl structure contents during deinit
BUG/MINOR: ssl: Free key_base from global_ssl structure during deinit
MEDIUM: jwt: Remove certificate support in jwt_verify converter
MINOR: jwt: Add new jwt_verify_cert converter
MINOR: jwt: Do not look into ckch_store for jwt_verify converter
MINOR: jwt: Add new "jwt" certificate option
MINOR: jwt: Add specific error code for known but unavailable certificate
DOC: jwt: Add doc about "jwt_verify_cert" converter
MINOR: ssl: Dump options in "show ssl cert"
MINOR: jwt: Add new "add/del/show ssl jwt" CLI commands
REGTEST: jwt: Test new CLI commands
BUG/MINOR: ssl: Potential NULL deref in trace macro
William Lallemand (13):
CLEANUP: mjson: remove MJSON_ENABLE_RPC code
CLEANUP: mjson: remove MJSON_ENABLE_PRINT code
CLEANUP: mjson: remove MJSON_ENABLE_NEXT code
CLEANUP: mjson: remove MJSON_ENABLE_BASE64 code
CLEANUP: mjson: remove unused defines and math.h
CLEANUP: mjson: remove unused defines from mjson.h
BUG/MINOR: acme: avoid overflow when diff > notAfter
MEDIUM: acme: don't insert acme account key in ckchs_tree
BUG/MINOR: acme: memory leak from the config parser
CI: cirrus-ci: bump FreeBSD image to 14-3
BUG/MINOR: ssl: leak in ssl-f-use
BUG/MINOR: ssl: leak crtlist_name in ssl-f-use
BUILD: ssl: can't build when using -DLISTEN_DEFAULT_CIPHERS
Willy Tarreau (23):
DEV: patchbot: use git reset+checkout instead of pull
MINOR: proxy: explicitly permit abortonclose on frontends and clarify the
doc
REGTESTS: fix h2_desync_attacks to wait for the response
REGTESTS: http-messaging: fix the websocket and upgrade tests not to
close early
MINOR: proxy: only check abortonclose through a dedicated function
MAJOR: proxy: enable abortonclose by default on HTTP proxies
MINOR: proxy: introduce proxy_abrt_close_def() to pass the desired default
MAJOR: proxy: enable abortonclose by default on TLS listeners
BUG/MEDIUM: ssl: take care of second client hello
BUG/MINOR: ssl: always clear the remains of the first hello for the
second one
BUILD: makefile: disable tail calls optimizations with memory profiling
MINOR: regex: use a thread-local match pointer for pcre2
BUG/MEDIUM: pools: fix bad freeing of aligned pools in UAF mode
MEDIUM: pools: detect() when munmap() fails in UAF mode
BUG/MEDIUM: pools: fix crash on filtered "show pools" output
BUG/MINOR: pools: don't report "limited to the first X entries" by default
BUG/MAJOR: lb-chash: fix key calculation when using default hash-key id
DOC: clarify the experimental status for certain features
MINOR: config: remove experimental status on tune.disable-fast-forward
MINOR: tree-wide: add missing TAINTED flags for some experimental
directives
MEDIUM: config: warn when expose-experimental-directives is used for no
reason
BUG/MEDIUM: threads/config: drop absent threads from thread groups
REGTESTS: remove experimental from quic/retry.vtc
---
