Re: [PATCH] support Openssl 1.1.1 early callback API for HS
Hi Manu, On Mon, Sep 04, 2017 at 04:39:45PM +0200, Emmanuel Hocdet wrote: > Hi Emeric, Christopher > > If you can review when you have time. (3) for Christopher. > > This patches allows to support native multicert selection (RSA/ECDSA) and > ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the > only > one to support this until this patch). > > patches: > 1) Convert BoringSSL api call (CBS) to ssl-lib independent code. > This is the biggest part and only depend on BoringSSL build (until 2). > > 2) support openssl 1.1.1 early callback API. It mimic BoringSSL api, and this >is a good news (small patch). >Do we want to push code for openssl 1.1.1 (dev) in haproxy (dev) now? I suspect it will be mandatory in order to support TLS early-data (0-RTT). So I think it will be nice to have it before the release. However given that both Christopher and Emeric are heavily loaded on the multi-threading part, I suggest that we postpone the patchset review until the multi-thread stuff gets merged. As you say, the patch is small so it will be easy to review and apply, and/or revert in case of issues so it's not a big deal to merge it late in the cycle. Thanks, Willy
Re: [PATCH] DOC: Add note about "* " prefix in CSV stats
On Fri, Sep 01, 2017 at 07:19:57PM +0200, Daniel Schneller wrote: > Just a little documentation patch I wrote, Oh thanks for this one Daniel, I thought it was already mentionned but I was wrong. Now applied. Willy
Re: [PATCH] BUG/MEDIUM: http: Fix a regression bug when a HTTP response is in TUNNEL mode
On Mon, Sep 04, 2017 at 02:49:00PM +0200, Christopher Faulet wrote: > Hi all, > > Finally I reworked my previous patch. This one should fix the bug, without > side effect (AFAIK). It fixes slowdowns experienced on 1.7.9 for HTTP > responses with undefined body length when the compression is enabled. Now merged, thanks Christopher! Willy
Re: Kernel TLS for http/2
Hi Aleks, On Mon, Sep 04, 2017 at 09:34:07AM +0200, Aleksandar Lazic wrote: > Hi, > > Have anyone seen KTLS also? > > https://lwn.net/Articles/666509/ > > https://netdevconf.org/1.2/papers/ktls.pdf > > looks pretty interesting. As I already mentionned (I don't remember to whom), I really don't see *any* benefit in this approach and only problems in fact. By the way, others have attempted it in the past and failed. The intended purpose is to save memory copies. But memory copies cost very little compared to AES encryption, so the savings are very marginal, as the graph shows. The reality is that in order to increase the performance by only 5% : - existing TLS application code will require modifications to be able to use both openssl and ktls - as new algorithms are deployed, you'll have to switch back to openssl and disable kernel offloading for the time it takes to upgrade to a new kernel. FWIW we're seeing people install openssl 1.0.2 or 1.1.0 on centos 7. This proves that userland moves faster than kernels. This problem could slow down adoption of new algorithms by the way, which is exactly what QUIC is fighting by moving all the TCP stack into the browser :-( - the data to be encrypted are now transferred to the kernel and visible using strace. One could argue that it will help with debugging, but it is also sometimes useful on some production systems to know that strace remains a safe tool to use because you don't see clear text data. - the application has less control over the TLS record size, which is critical to page load time as it allows browsers to parse contents on the fly without having to wait for a full transfer before decrypting. So for me it's attacking a non-problem and will cause new problems. I'm still not seeing any real benefit, I'm sorry. And you know that usually I'm the one trying to push stuff into the kernel to make things faster. It's just that *this* specific thing doesn't bring any obvious savings to me. Cheers, Willy
Re: Haproxy 1.7.9 or earlier stopped using h2
Hi Matthias, On Sun, Sep 03, 2017 at 09:36:30AM +0200, Matthias Fechner wrote: > Dear all, > > I configured some time ago haproxy to support http2 using tcp mode on > FreeBSD. > > The configuration looked like: > > frontend www-https > mode tcp > option tcplog > bind : ssl crt /usr/local/etc/haproxy/certs/ alpn h2,http/1.1 > use_backend nginx-http2-backend if { ssl_fc_alpn -i h2 } > default_backend nginx-http-backend > > backend nginx-http2-backend > mode tcp > server www-1 127.0.0.1:8083 check send-proxy > > > Nginx on port 8083 is listing with this line: > listen 127.0.0.1:8083 http2 proxy_protocol; > > > That worked in the past. I have no idea when it stopped, but currently > it is not working anymore. > Is anyone aware of a change that could cause h2 to not working anymore? Make sure that you built with openssl 1.0.2 (haproxy -vv). ALPN is only provided in this version, not older ones. Also, maybe your nginx needs to receive a proxy-protocol-v2 header to accept to enable H2 (it's the only one which mentions SSL presence and a few extensions) ? In this case you'll need to use "send-proxy-v2" instead of "send-proxy". I don't have other ideas for now. Willy
Re: [PATCH] MINOR: ssl: remove duplicate ssl_methods in struct bind_conf
On Mon, Sep 04, 2017 at 02:53:06PM +0200, Emeric Brun wrote: > It shoud be ok. > > Willy, you've my go! Now applied, thanks guys. Willy