Hi,
HAProxy 3.3-dev11 was released on 2025/10/31. It added 82 new commits
after version 3.3-dev10.
Various issues were addressed in this version (some of which will lead
to backports), namely pool pool alignment issues that could cause crashes
in certain cases, an overzealous vectorization issue with gcc-15 resulting
in crashes on certain older flavors of x86_64, a format layout inconsistency
on the shared stats file that prevented it from working on 32-bit machines,
a design limitation of ncbuf (used by QUIC) where excessive CRYPTO frames
reordering could make some handshakes fail with a few recent clients that
would leave too short holes between them, a possible crash when updating
certain SSL certificates on the CLI, errors when dealing with certain 1xx
responses in H3, 0-rtt not working again on the frontend for H1 and on the
and the backend for H2, and a few other ones.
On the front of the new stuff, I'm seeing:
- some updates on ACME to improve dns-01 challenge support via the
dataplane API
- as quickly mentioned above, we started to get reports of failed QUIC
handshakes that could be tracked down to recent Firefox versions and
ngtcp2 versions that mangle crypto frames order to complicate their
inspection by bad actors on the path. However their reordering becomes
hard to handle with too short holes between adjacent frames (e.g. one
single byte), making the current non-contiguous buffer (ncbuf) reach
its limit, not being able to store such data. This was reworked with
an alternative (but still pretty close) model that allows single-byte
holes now and was confirmed to work well (thank you Annika!). It was
already backported to 3.2.7 and will progressively flow to other
versions. It's not exactly a bug, more an interoperability limitation
that was addressed. If you're using QUIC on 3.3, please update, you
could see better stats.
- some updates to the CLI applet to avoid sending LFs one at a time when
dealing with long pipelined commands. Not only this was making socat
run at 100% CPU receiving one byte at a time, but we discovered that
it would break some older tolls that would send a few commands then
disconnect because the intermediate LFs would get an EPIPE from the
closed connection. Since old tools were relying on an optimization,
let's reimplement the optimization to keep them happy and improve
other ones anyway.
- some improvements were made to the stick-tables locking. It's much
more complicated than initially thought, and some of the attempts at
improving the situation were not successful enough (i.e. some gains
and some losses). However those which only provided consistent gains
were integrated (essentially anything related to splitting locking by
buckets).
- TLS ECH (Encrypted Client Hello) was finally merged. ECH is mainly
used to avoid the SNI (Server Name Indication) to be sent in clear,
because that has always been a significant weakness of TLS, that it
was possible to know what site was being visited. It's a concern for
those working in censored areas for example. With ECH, a public key
is shared in a DNS record, and the client can use it to encrypt the
ClientHello and not disclose where it's going. Note that this only
makes sense if the key retrieval is secured as well (e.g. DoH).
Entries can be added, consulted and updated from the CLI. This was
a contribution from Stephen Farrell who's been working on this for
HAProxy and other stacks for a while now, and maintaining test
instances at defo.ie. Now the implementation reached a state where
it could be merged and maintained, so the timing was perfect.
- The new "ssl-passphrase-cmd" directive permits to specify a command
to be run to retrieve a passphrase to unlock protected certificates.
The command will only ask for certificates that couldn't be unlocked
using previously entered passphrases, so when most of them are the
same (commonly seen), few commands will be issued. Protected certs
will not have their private key dumped on the CLI.
- a number of outdated or confusing QUIC settings were dropped, renamed
or refined. The renamed ones still work, and issue a deprecation
warning referencing the new keyword. Old ones will be dropped in 3.5.
- the rest is essentially reg tests, CI updates and doc updates.
We're now roughly one month away from the release, so it's time to calm
down on changes and to focus on finalizing what's already merged, testing
and fixing bugs. Let's postpone new stuff for 3.4 now. User tests are
super important, especially with new features as it's not to late to
rename an option or adjust something that could be confusing or not
convenient. At the risk of repeating myself, please test it, try to
break it and report!
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (23):
BUG/MEDIUM: h3: properly encode response after interim one in same buf
MINOR: ncbuf: extract common types
MINOR: ncbmbuf: define new ncbmbuf type
MINOR: ncbmbuf: implement add
MINOR: ncbmbuf: implement iterator bitmap utilities functions
MINOR: ncbmbuf: implement ncbmb_data()
MINOR: ncbmbuf: implement advance operation
MINOR: ncbmbuf: add tests as standalone mode
BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling
MINOR: quic: remove received CRYPTO temporary tree storage
MINOR: quic: remove unused conn-tx-buffers limit keyword
MINOR: quic: prepare support for options on FE/BE side
MINOR: quic: rename "no-quic" to "tune.quic.listen"
MINOR: quic: duplicate glitches FE option on BE side
MINOR: quic: split congestion controler options for FE/BE usage
MINOR: quic: split Tx options for FE/BE usage
MINOR: quic: rename max Tx mem setting
MINOR: quic: rename retry-threshold setting
MINOR: quic: rename frontend sock-per-conn setting
BUG/MINOR: quic: split max-idle-timeout option for FE/BE usage
BUG/MINOR: quic: split option for congestion max window size
BUG/MINOR: quic: rename and duplicate stream settings
BUG/MINOR: acl: warn if "_sub" derivative used with an explicit match
Aurelien DARRAGON (8):
MINOR: stats-file: fix typo in shm-stats-file object struct size detection
MINOR: compiler: add FIXED_SIZE(size, type, name) macro
MEDIUM: freq-ctr: use explicit-size types for freq-ctr struct
BUG/MAJOR: stats-file: ensure shm_stats_file_object struct mapping
consistency
Revert "BUG/MAJOR: stats-file: ensure shm_stats_file_object struct
mapping consistency"
Revert "MEDIUM: freq-ctr: use explicit-size types for freq-ctr struct"
Revert "MINOR: compiler: add FIXED_SIZE(size, type, name) macro"
BUG/MAJOR: stats-file: ensure shm_stats_file_object struct mapping
consistency (2nd attempt)
Christopher Faulet (3):
BUG/MEDIUM: h1-htx: Don't set HTX_FL_EOM flag on 1xx informational
messages
BUG/MEDIUM: applet: Improve again spinning loops detection with the new
API
BUG/MINOR: resolvers: Apply dns-accept-family setting on additional
records
Frederic Lecaille (2):
BUG/MINOR: quic-be: unchecked connections during handshakes
REGTEST: quic: add ssl_reuse.vtc new QUIC test
Huangbin Zhan (1):
MINOR: http: fix 405,431,501 default errorfile
Ilia Shipitsin (1):
CI: disable fail-fast on fedora rawhide builds
Olivier Houchard (11):
BUG/MEDIUM: mt_list: Make sure not to unlock the element twice
MINOR: initcalls: Add a new initcall stage, STG_INIT_2
MEDIUM: stick-tables: Use a per-shard expiration task
MEDIUM: stick-tables: Remove the table lock
MEDIUM: stick-tables: Stop if stktable_trash_oldest() fails.
MEDIUM: stick-tables: Stop as soon as stktable_trash_oldest succeeds.
BUG/MEDIUM: stick-tables: Don't loop if there's nothing left
BUG/MEDIUM: mt_lists: Avoid el->prev = el->next = el
BUG/MEDIUM: mt_list: Use atomic operations to prevent compiler optims
MEDIUM: quic: Fix build with openssl-compat
MEDIUM: h1: Immediately try to read data for frontend
Remi Tricot-Le Breton (8):
BUG/MEDIUM: ssl: Crash because of dangling ckch_store reference in a ckch
instance
BUG/MINOR: ssl: Remove unreachable code in CLI function
BUG/MINOR: init: Do not close previously created fd in stdio_quiet
MINOR: init: Make devnullfd global and create it earlier in init
MINOR: init: Use devnullfd in stdio_quiet calls instead of recreating a
fd everytime
MEDIUM: ssl: Add certificate password callback that calls external command
MEDIUM: ssl: Add local passphrase cache
MINOR: ssl: Do not dump decrypted privkeys in 'dump ssl cert'
William Lallemand (8):
MINOR: acme: add the dns-01-record field to the sink
MINOR: acme: display the complete challenge_ready command in the logs
BUG/MINOR: ssl: returns when SSL_CTX_new failed during init
MINOR: listener: implement bind_conf_find_by_name()
CI: github: add USE_ECH=1 to haproxy for openssl-ech job
DOC: configuration: "ech" for bind lines
BUG/MINOR: ech: non destructive parsing in cli_find_ech_specific_ctx()
DOC: management: document ECH CLI commands
Willy Tarreau (14):
BUG/MEDIUM: cli: also free the trash chunk on the error path
BUG/MAJOR: pools: fix default pool alignment
BUG/MEDIUM: build: limit excessive and counter-productive gcc-15
vectorization
BUG/MINOR: stick-tables: properly index string-type keys
BUILD: openssl-compat: fix build failure with OPENSSL=0 and KTLS=1
MINOR: applet: do not put SE_FL_WANT_ROOM on rcv_buf() if the channel is
empty
MINOR: cli: create cli_raw_rcv_buf() from the generic applet_raw_rcv_buf()
BUG/MEDIUM: cli: do not return ACKs one char at a time
DOC: config: fix confusing typo about ACL -m ("now" vs "not")
DOC: config: slightly clarify the ssl_fc_has_early() behavior
MINOR: ssl-sample: add ssl_fc_early_rcvd() to detect use of early data
MEDIUM: mux-h2: do not needlessly refrain from sending data early
MINOR: mux-h2: extract the code to send preface+settings into its own
function
BUG/MINOR: mux-h2: send the preface along with the first request if needed
sftcd (3):
MEDIUM: ssl/ech: config and load keys
MINOR: ssl/ech: add logging and sample fetches for ECH status and outer
SNI
MINOR: ssl/ech: key management via stats socket
---
