[ANNOUNCE] haproxy-2.8-dev13
Hi, HAProxy 2.8-dev13 was released on 2023/05/24. It added 43 new commits after version 2.8-dev12. Things have been quite calm since dev12. Along a discussion with Christopher and Amaury we figured that one combination of flags indicating the conditions in which a stream ended that we thought impossible did in fact exist with QUIC, where it's possible to abort an upload without stopping the download, so that required an in-depth analysis of all places consuming these flags combinations to make sure we could declare this combination officially supported and document it. These patches were marked as medium because that's always tricky but the analysis was exhaustive and we're confident in the change, it clarifies certain conditions and was extensively tested. Speaking of QUIC, a few minor bugs on error paths were addressed, and comments were added at various places to help understand some BUG_ON(). Fred also added a number of event counters that had been missing over the last few troubleshooting sessions. Tristan observed a slight performance regression recently that we could not reproduce even under latency/limited bandwidth and that is still under scrutiny. He could narrow it down to a small set of patches to examine. We hope to get it figured and fixed soon but it's not sensitive enough to hold the release. Aurélien cleaned up some Lua places to better document which ones could be interrupted by a longjmp, and spotted a small bug there, which seems to have little impact, but which was fixed anyway. Some cleanups were done in the makefile, first because Thierry noticed that it was recently broken for GNU make before 3.82 (3.81 is still very common), and second to avoid causing a full rebuild each time "make something" is called (help, version, reg-test etc). Also while re-running the tests on my small FreeBSD machine I figured I had never committed the tiny BSD makefile that's meant to prevent "make" from spitting ugly syntax errors. Now instead it will invite the user to use "gmake". During these tests it was found that TCC was recently broken again. It seems I'm the only one using it, and since I now have access to a fast enough build farm, I tend to use it less often. So this was fixed. Amaury cleaned up and committed a convenient Lua script he's been using for a while to automatically produce an SSL key log file from a stream. That's convenient for debugging or during development as you don't have to process logs and rebuild the file, it's updated on the fly (see dev/sslkeylogger if you're interested, but don't do that in production as it writes to the file system and is probably not even thread-safe). And the rest are essentially doc updates. I think we're good for a release in the middle of next week, likely on Wednesday since the last few -dev releases slipped to wednesday due to bugs and days off. Till the release we'll mostly focus on doc updates and regressions and a bit less on non-critical bugs that already affected older versions so that we do our best not to add new regressions in this version. This means that regressions you'd find when testing this version will be considered with a higher priority, so please re-check, and also have a look at the doc and do not hesitate to report any anomaly you'd spot. Now back to working on the full changelog... Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation: https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse: https://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog: https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API: https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs: https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds: https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (9): CLEANUP: mux-quic/h3: complete BUG_ON with comments MINOR: quic: remove return val of quic_aead_iv_build() MINOR: quic: use WARN_ON for encrypt failures BUG/MINOR: quic: handle Tx packet allocation failure properly MINOR: quic: fix alignment of oneline show quic MINOR: mux-quic: set both EOI EOS for stream fin MINOR: mux-quic: only set EOS on RESET_STREAM recv MINOR: mux-quic: report error on stream-endpoint earlier DEV: add a Lua helper script for SSL keys logging Aurelien DARRAGON (6): MINOR: hlua: hlua_smp2lua_str() may LJMP MINOR: hlua: hlua_smp2lua() may LJMP MINOR: hlua: hlua_arg2
Re: [PATCH 1/1] BUILD: SSL: enable TLS key material logging if built with LibreSSL>=3.5.0
please ignore this patch. LibreSSL implementation of key logging is intended only to shut build warnings. functions themselves do nothing. вт, 23 мая 2023 г. в 22:57, Ilya Shipitsin : > LibreSSL implements TLS key material since 3.5.0, let's enable it > --- > include/haproxy/openssl-compat.h | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/include/haproxy/openssl-compat.h > b/include/haproxy/openssl-compat.h > index 7fb153810..ed162031c 100644 > --- a/include/haproxy/openssl-compat.h > +++ b/include/haproxy/openssl-compat.h > @@ -88,7 +88,8 @@ > #define HAVE_SSL_SCTL > #endif > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) > +/* minimum OpenSSL 1.1.1 & libreSSL 3.5.0 */ > +#if (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= > 0x305fL)) || (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) > #define HAVE_SSL_KEYLOG > #endif > > -- > 2.40.1 > >
[bug-report] if we should add check for memory allocation
Dear haproxy maintainers: if we should add check for memory allocation? I got 3 coredumps(haproxy version is 2.6.6): bt 1 Program terminated with signal SIGSEGV, Segmentation fault. #0 0x7f0a03a50a57 in BIO_meth_set_write (biom=0x0, bwrite=bwrite@entry=0x55fbf4ac5260 ) at crypto/bio/bio_meth.c:92 92 biom->bwrite_old = bwrite; (gdb) bt #0 0x7f0a03a50a57 in BIO_meth_set_write (biom=0x0, bwrite=bwrite@entry=0x55fbf4ac5260 ) at crypto/bio/bio_meth.c:92 #1 0x55fbf4ac50d5 in __ssl_sock_init () at src/ssl_sock.c:8150 #2 0x55fbf4aba0e6 in main (argc=3, argv=0x7ffe3895b718) at src/haproxy.c:3075 bt 2 Program terminated with signal SIGSEGV, Segmentation fault. #0 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:307 307 VMOVU %VEC(0), (%rdi) (gdb) bt #0 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:307 #1 0x56542cb0dba1 in memcpy (__len=46, __src=0x56542dbff1a0, __dest=) at /usr/include/bits/string_fortified.h:29 #2 __b_putblk (b=, len=46, blk=0x56542dbff1a0 "register section 'log-forward': out of memory.\n") at include/haproxy/buf.h:552 #3 b_putblk (b=, len=46, blk=0x56542dbff1a0 "register section 'log-forward': out of memory.\n") at include/haproxy/buf.h:568 #4 usermsgs_put (msg=) at src/errors.c:50 #5 print_message (use_usermsgs_ctx=, label=, fmt=, argp=) at src/errors.c:216 #6 0x56542cb0de0e in ha_alert (fmt=fmt@entry=0x56542cb581a8 "register section '%s': out of memory.\n") at src/errors.c:253 #7 0x56542ca4bcfc in cfg_register_section (post_section_parser=0x0, section_parser=0x56542ca444c0 , section_name=0x56542cb56e3a "log-forward") at src/cfgparse.c:4318 #8 cfg_register_section (section_name=0x56542cb56e3a "log-forward", section_parser=0x56542ca444c0 , post_section_parser=0x0) at src/cfgparse.c:4303 #9 0x56542c94f0e6 in main (argc=3, argv=0x7ffefb267388) at src/haproxy.c:3075 (gdb) f 4 #4 usermsgs_put (msg=) at src/errors.c:50 50 b_putblk(&usermsgs_buf, msg->ptr, msg->len); (gdb) p usermsgs_buf $1 = {size = 1024, area = 0x0, data = 0, head = 0} (gdb) bt 3 Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_clockjoin_ex (threadid=1, thread_return=thread_return@entry=0x0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, block=block@entry=true) at pthread_join_common.c:43 43 if (INVALID_NOT_TERMINATED_TD_P (pd)) (gdb) bt #0 __pthread_clockjoin_ex (threadid=1, thread_return=thread_return@entry=0x0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, block=block@entry=true) at pthread_join_common.c:43 #1 0x7ff1708aa043 in ___pthread_join (threadid=, thread_return=thread_return@entry=0x0) at pthread_join.c:25 #2 0x55b6ed0c64d1 in preload_libgcc_s () at src/thread.c:950 #3 __thread_init () at src/thread.c:964 #4 0x55b6ecf10086 in main (argc=3, argv=0x7ffc1849dbc8) at src/haproxy.c:3073 The attachments is my patches. Looking forward to your response. | | eaglegai | | eagle...@163.com | add-check-for-ha_meth.patch Description: Binary data add-check-for-usermsgs_buf.area-in-usermsgs_put.patch Description: Binary data add-check-for-pthread_create.patch Description: Binary data