Hi, HAProxy 3.3.1 was released on 2025/12/19. It added 45 new commits after version 3.3.0.
Unlike what I said, the 2.8.17 was not the last release emitted this week. The 3.3.1 was missing, while it was promized ! Following issues were fixed by this release: - In QUIC, HyStart++ algorithm for QUIC connections is now disabled for congestion control algorithms not supporting it. It caused crashes when when it was enabled with BBR for instance. The "quic-cc-algo" server directive allows to choose the congestion control algorithm for outgoing QUIC connections. And there were some fixes on the QUIC backend. - A possible crash in H3 was fixed because a internal variable could be accesses while unallocated. - In master-worker mode, an ambiguity about a flag was fixed. It has no impact on 3.1 and upper thanks to the master-worker refactoring that has occurred in 3.1 but that led to a file descriptor leak for duplicated unix stats sockets in the master process in 3.0 and lower. - A typo in the "bc_settings_streams_limit" sample fetch function made it unavailable. This was fixed to accordingly to the name used in the configuration manual. - An old bug form 2012 was fixed about the HTTP TUNNEL handling that causing tunnelled streams closed by the server to be closed on both sides at once and logging an error. And the timer used for "wait-for-body" action was not properly reset, causing some trouble with some following actions, like "pause". - The "show proc" master-CLI command is no longer limited by the output buffer size and will now be able to list many processes. - In SSL, an issue with the TLS sessions reuse was fixed. The SNI was not considered when a TLS session was reused. Because of this issue, it was possible to inherit from an old SNI for connection without SNI. Now, the SNI of the cached TLS session must match the one that will be used for the new connection. There was also an issue regarding the choice of the ALPN, especially when the ALPN for health-checks differed from the one used for regular traffic. - An old bug, introduced in 2.2.0, about private idle connections attached to a session, leading to a crash, was fixed by reverting the offending commit. - H2 backend: in some cases it was possible to continue to use a connection till the last stream ID permitted by the server. While this is undetectable by the server since it serves to process streams in flight, it's forbidden by the spec and not all parts handled it similarly in the code (some applied the client rule and others the server one depending how they were). The main impact is that after releasing the last allowed stream to a server, the connection was not set back to the idle pool but wasn't killed either, and a late activity (e.g. a shutdown) could trigger a BUG_ON() condition detecting this inconsistency and crash the process. Only 3.3 was affected by the BUG_ON() and it's not sure at this point whether any other effect could have happened on older versions. For this reason only 3.3 has the fix for now, others might follow later. The rest is pretty minor, essentially doc updates. Thanks everyone for your help. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (6): BUG/MEDIUM: h3: do not access QCS <sd> if not allocated BUG/MEDIUM: h3: fix access to QCS <sd> definitely Revert "MINOR: quic: use dynamic cc_algo on bind_conf" MINOR: quic: define quic_cc_algo as const MINOR: quic: extract cc-algo parsing in a dedicated function MINOR: quic: implement cc-algo server keyword Christopher Faulet (15): BUG/MINOR: ssl: Don't allow to set NULL sni BUG/MINOR: log: Dump good %B and %U values in logs BUG/MEDIUM: http-ana: Don't close server connection on read0 in TUNNEL mode DOC: config: Fix description of the spop mode DOC: config: Improve spop mode documentation MEDIUM: quic: Add connection as argument when qc_new_conn() is called MINOR: ssl: Add a function to hash SNIs MINOR: ssl: Store hash of the SNI for cached TLS sessions MINOR: ssl: Compare hashes instead of SNIs when a session is cached MINOR: connection/ssl: Store the SNI hash value in the connection itself MEDIUM: tcpcheck/backend: Get the connection SNI before initializing SSL ctx BUG/MEDIUM: ssl: Don't reuse TLS session if the connection's SNI differs MEDIUM: ssl/server: No longer store the SNI of cached TLS sessions BUG/MEDIUM: http-ana: Properly detect client abort when forwarding response (v2) BUG/MEDIUM: stconn: Don't report abort from SC if read0 was already received Frederic Lecaille (7): BUG/MINOR: quic/ssl: crash in ClientHello callback ssl traces BUG/MINOR: quic-be: handshake errors without connection stream closure MINOR: quic: Add useful debugging traces in qc_idle_timer_do_rearm() MINOR: quic: avoid code duplication in TLS alert callback BUG/MINOR: quic-be: missing connection stream closure upon TLS alert to send BUG/MINOR: quic: do not set first the default QUIC curves BUG/MINOR: quic-be: Missing keywords array NULL termination Olivier Houchard (6): BUG/MEDIUM: ssl: Always check the ALPN after handshake MINOR: connections: Add a new CO_FL_SSL_NO_CACHED_INFO flag BUG/MEDIUM: ssl: Don't store the ALPN for check connections BUG/MEDIUM: ssl: Don't resume session for check connections BUG/MEDIUM: quic: Don't try to use hystart if not implemented BUG/MEDIUM: backend: Do not remove CO_FL_SESS_IDLE in assign_server() Remi Tricot-Le Breton (1): BUG/MINOR: jwt: Missing "case" in switch statement William Lallemand (4): BUG/MEDIUM: mworker/listener: ambiguous use of RX_F_INHERITED with shards DOC: configuration: ECH support details CLEANUP: mworker/cli: remove useless variable BUG/MINOR: mworker/cli: 'show proc' is limited by buffer size Willy Tarreau (6): BUG/MEDIUM: connection: fix "bc_settings_streams_limit" typo BUG/MEDIUM: config: ignore empty args in skipped blocks DOC: config: mention clearer that the cache's total-max-size is mandatory DOC: config: reorder the cache section's keywords MINOR: h2/trace: emit a trace of the received RST_STREAM type BUG/MEDIUM: mux-h2: synchronize all conditions to create a new backend stream -- Christopher Faulet
