Hi, HAProxy 3.2.9 was released on 2025/11/21. It added 37 new commits after version 3.2.8.
Nothing critical in this version either, but sufficient for a new release: - the fix in 3.2.8 for the rare race condition that could occasionally cause a crash when an idle connection was ending at the exact same moment it was about to be purged didn't work well. It indeed plugged the race, but it broke connection accounting (it's in fact what caused the strange negative connection count I said I observed last time), because the flags that were being relied on are also used to update counters. This fix was reverted and a new, more involved one was made based on list membership, which looks better, and that this time we couldn't break. - the ACME scheduler was reworked to use a scalable ebmbtree with read-write locks instead of a linear list. This was done in anticipation of large setups with many certificates where we'd rather not run over long lists of hundreds of thousands of certs for each lookup. Also, a failure to initialize resolvers could happen if the default resolvers section was declared after an ACME section (that already makes use of it). It will also check if a referenced map exists, and print a warning if not. Last, the error on account file creation failure will now be clearer than just "acme: out of memory". - stick-tables had two issues: one by which a local update was not always propagated to peers if the entry had been received from them first, and another one where the refcount of an entry can become inconsistent and prevent the entry from ever expiring if a local and remote update happen at the exact same time and the local entry is created at the moment the peers code releases the lock. - a crash that could occur after HTTP/2 upgrades from HTTP/1.1 has been resolved. The issue stemmed from the mux not being able to report that it had only released its structure and not the whole conenction, causing the SSL tasklet to never be freed while being returned as running, thus causing an infinite loop. - QUIC SSL session reuse was fixed for OpenSSL 3.5, which was preventing clients from reusing their SSL sessions properly. - a failure to allocate a new QUIC Connection ID during a RETIRE_CONNECTION_ID frame was silently ignored, potentially leaving the peer without valid IDs and causing connection failures. Now, such allocation errors are treated as fatal, closing the connection promptly, which is safer when memory pressure is high and prevents silent degradation of connectivity. - The ALPN handling for listeners was improved to better handle cases where the protocol is forced with the "proto" keyword, preventing connection errors in certain configurations (e.g. when "proto h1" is forced while the default ALPN was still "h2,http/1.1"). - the value of "tune.maxpollevents" could lead to an integer overflow when calculating the size to be allocated, resulting in a failure that would cause the poller to process no events at all (in practice the process is totally unresponsive). The value is now capped to 1 million, which is 4000 times higher than the default (250) and already does not make much sense, it should not need to be touched again for the next century. - in master-worker mode, signal handling during startup and reload has been corrected. Previously, it was possible to trigger a reload while the configuration was still being parsed, leading to inconsistent states. Now, signals are properly blocked during parsing, ensuring atomicity and avoiding race conditions that could result in crashes or failed reloads. - under rare conditions the queue management code could try another server then fail and finally find an entry on a previously considered one, and this rare specific return path was missing an unlock, leaving the queue locked, and leaving it to the watchdog to fix the forthcoming deadlock by killing the process. - the haproxy-dump-certs script seems to be functional for a few of us using it with ACME so we thought it was a good idea to backport it to 3.2 to ease backing up the updated certs. - a larger-than-guaranteed alignment in the struct proxy was fixed, which could cause some native builds at -O3 to crash on boot if the compiler decides to use avx512 instructions on structs that are less aligned than 64. The rest is pretty minor, essentially doc updates, most of which concern ACME. For most users there is no emergency on this version either, as it mainly addresses races that are only triggered under high loads. But if you're impacted by one of the issues above, or have upgraded to 3.2.8 to fix the rare conn->mux crash, then you should upgrade to this one again. Thanks to all those who provided feedback permitting to fix these issues! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy-3.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (4): Revert "BUG/MEDIUM: connections: permit to permanently remove an idle conn" BUG/MEDIUM: connection: do not reinsert a purgeable conn in idle list BUG/MINOR: quic: close connection on CID alloc failure BUG/MINOR: check: fix reuse-pool if MUX inherited from server Christopher Faulet (6): BUG/MINOR: config: Limit "tune.maxpollevents" parameter to 1000000 BUG/MEDIUM: stick-tables: Always return the good stksess from stktable_set_entry BUG/MINOR: stick-tables: Fix return value for __stksess_kill() MINOR: muxes: Support an optional ALPN string when defining mux protocols MINOR: config: Do proto detection for listeners before checks about ALPN BUG/MEDIUM: config: Use the mux protocol ALPN by default for listeners if forced Damien Claisse (1): MINOR: ssl/sample: expose ssl_*c_curve for AWS-LC Frederic Lecaille (1): BUG/MINOR: quic-be: backend SSL session reuse fix (OpenSSL 3.5) Lukas Tribus (1): DOC: http: document 413 response code Olivier Houchard (4): BUG/MEDIUM: stick-tables: Make sure updates are seen as local MINOR: h1: h1_release() should return if it destroyed the connection BUG/MEDIUM: h1: prevent a crash on HTTP/2 upgrade BUG/MEDIUM: queues: Don't forget to unlock the queue before exiting William Lallemand (18): BUG/MINOR: acme: more explicit error when BIO_new_file() BUG/MEDIUM: acme: move from mt_list to a rwlock + ebmbtree BUG/MINOR: acme: can't override the default resolver DOC: configuration: add missing ssllib_name_startswith() DOC: configuration: add missing openssl_version predicates BUG/MEDIUM: mworker: signals inconsistencies during startup and reload BUG/MINOR: mworker: wrong signals during startup BUG/MINOR: ssl: remove dead code in ssl_sock_from_buf() BUG/MINOR: acme: alert when the map doesn't exist at startup DOC: acme: add details about the DNS-01 support DOC: acme: explain how to dump the certificates DOC: acme: configuring acme needs a crt file ADMIN: haproxy-dump-certs: implement a certificate dumper ADMIN: dump-certs: don't update the file if it's up to date ADMIN: dump-certs: create files in a tmpdir ADMIN: dump-certs: fix lack of / in -p ADMIN: dump-certs: use same error format as haproxy ADMIN: dump-certs: let dry-run compare certificates Willy Tarreau (2): BUG/MEDIUM: connection/ssl: also fix the ssl_sock_io_cb() regarding idle list BUG/MEDIUM: proxy: do not align proxy_per_tgroup beyond allocator's capabilities ---
