> Le 21 avr. 2020 à 10:58, William Lallemand a écrit :
>
> On Fri, Apr 03, 2020 at 10:34:12AM +0200, Emmanuel Hocdet wrote:
>>
>>> Le 31 mars 2020 à 18:40, William Lallemand a écrit
>>> :
>>>
>>> On Thu, Mar 26, 2020 at 06:29:48PM +0100, William Lallemand wrote:
After some thinki
On Wed, Apr 22, 2020 at 11:23:05AM +0200, Emmanuel Hocdet wrote:
> Hi William,
>
> It’s ok, thanks. I hope is the case for all of us.
>
> I will take time to do it.
>
> ++
> Manu
>
Okay, thanks!
--
William Lallemand
and voila:
0001-MINOR-ssl-add-ssl-skip-self-issued-ca-global-option.patch
Description: Binary data
Hi,
please find attached to this mail two patches.
One aims at addressing issue #595 on github, where Anit reports some server
ssl options default values aren't applied when set with default-server or
ssl-default-server-options directives.
The other patch adds a new keyword in global section to
Make the digest and HMAC function of OpenSSL accessible to the user via
converters. They can be used to sign and validate content.
---
Makefile| 2 +-
doc/configuration.txt | 9
reg-tests/sample_fetches/hashes.vtc | 22
src/crypto.c
Patrick,
Am 22.04.20 um 12:40 schrieb Patrick Gansterer:
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index 2e548b66c..17b2debe5 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -13918,6 +13918,10 @@ debug([])
>Example:
> tcp-request connection tra
Hi Damien,
On Thu, Apr 16, 2020 at 04:03:19PM +, Damien Claisse wrote:
> What I'm actually interested in is assessing real-world total time taken to
> serve a client request (as seen from the client such as reported by cURL or
> in a browser network performance tab, except for DNS lookup time)
On Wed, Apr 22, 2020 at 11:48:29AM +0200, Emmanuel Hocdet wrote:
>
> and voila:
>
> From fc1ae0229809d3eca7f7553ac210056c6537c4e4 Mon Sep 17 00:00:00 2001
> From: Emmanuel Hocdet
> Date: Wed, 22 Apr 2020 11:06:19 +0200
> Subject: [PATCH] MINOR: ssl: add ssl-skip-self-issued-ca global option
>
On Wed, Apr 22, 2020 at 12:06:15PM +0200, Jerome Magnin wrote:
> Hi,
> [...]
> The other patch adds a new keyword in global section to set default bind
> curves.
>
I updated the second patch to remove the ability to set the default curves at
build time because I did it wrong and I'm not sure it'
On Wed, Apr 22, 2020 at 12:06:11PM +0200, Jerome Magnin wrote:
> From d86993cbd4476e1901eafdc7fbe88d31ca6f8e90 Mon Sep 17 00:00:00 2001
> From: Jerome Magnin
> Date: Wed, 22 Apr 2020 11:40:18 +0200
> Subject: [PATCH] BUG/MINOR: ssl: default settings for ssl server options are
> not used
>
> Fro
Willy,
Am 21.04.20 um 16:58 schrieb Willy Tarreau:
>> I would also be interested in how Felix Wilhelm performed the fuzzing,
>> do you happen to have details about that?
>
> No, I only got the information that was just made public. But do not
> hesitate to contact Felix about this, I'm sure he wi
HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
SSL Labs reports the CBC ciphers are "weak":
[cid:image002.jpg@01D6117D.1C8AC910]
I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to no
avail:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-d
Tim,
thanks for the review. I just rebased my old patch today and didn't check what
changed in the meantime in the codebase. I created a separate patch to move
aes_gcm_dec out of ssl_sock.c since it seams to fit better to my new file.
- Patrick
>From 8f6ce045c80e0f67a485233ee602b57b4c311bde Mo
Patrick,
Am 22.04.20 um 17:30 schrieb Patrick Gansterer:
> Tim,
>
> thanks for the review. I just rebased my old patch today and didn't check
> what
> changed in the meantime in the codebase. I created a separate patch to move
> aes_gcm_dec out of ssl_sock.c since it seams to fit better to my
Tim,
sorry for the troubles. My mail program added automatic line breaks. :-(
I attached the two files now.
- Patrick
>From 8f6ce045c80e0f67a485233ee602b57b4c311bde Mon Sep 17 00:00:00 2001
From: Patrick Gansterer
Date: Sun, 17 Jun 2018 11:21:11 +0200
Subject: [PATCH 1/2] MINOR: crypto: Move ae
Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
> SSL Labs reports the CBC ciphers are "weak":
>
> [cid:image002.jpg@01D6117D.1C8AC910]
>
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to
> no
you can start with https://ssl-config.mozilla.org/
however, high security also means lower compatibility, i.e. old browsers
fail on high security (ssl labs provide handshake table for that)
ср, 22 апр. 2020 г. в 20:32, Branitsky, Norman <
norman.branit...@tylertech.com>:
> HA-Proxy version 1.7.10
Patrick,
Am 22.04.20 um 17:41 schrieb Patrick Gansterer:
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index 2e548b66c..6b5f5ecf9 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -13918,6 +13918,13 @@ debug([])
>Example:
> tcp-request connection tra
Tim,
thx for the quick review. I attached a new patchset.
On Mittwoch, 22. April 2020 18:01:01 CEST Tim Düsterhus wrote:
> Small nit: It should read 'e.g.' (with a dot at the end).
Argh. Can't believe how many typos I made in this lines. ^^
> I believe you support a variable key now. You should
Patrick,
Am 22.04.20 um 18:23 schrieb Patrick Gansterer:
> thx for the quick review. I attached a new patchset.
>
I don't find anything to complain about now. I'll now leave it up to the
authority to either apply or complain.
For MINOR: crypto: Add digest and hmac converters
Reviewed-by: Tim D
As you can see from my pasted configuration, I was specifying exactly 4 ciphers.
The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
I tried to explicitly delete them - but the delete request is ignored.
It seems that this entry, for example, must actually be a family:
ECDHE-RS
FWIW, here's what we use in production with HAProxy 2.1.4 statically linked
with OpenSSL 1.1.1f, gives us an A rating with 90 score for cipher strength
from SSLLabs test:
# recommended modern ciphersuites. Qualys SSLLab reports some of them
# as weak due to use of inferior CBC mode, but
On Wed, Apr 22, 2020 at 06:20:14PM +, Branitsky, Norman wrote:
> As you can see from my pasted configuration, I was specifying exactly 4
> ciphers.
> The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
> I tried to explicitly delete them - but the delete request is ignored.
Hi all.
I know it's a little bit off topic but because I have in another project
reached a big milestone, with the support of the People here, I would like to
say.
HAProxy People and Community and Program is really great ;-) ;-) ;-) ;-).
Very best wishes
Aleks
Hi all.
I think there is a really missing parameter in prometheus exporter that
there is no response time metric by HTTP method. To monitor the state of
response times there is a need of this metric. Any plan to be added?
Issue: https://github.com/haproxy/haproxy/issues/580
Thanks,
Hello,
Trying to get in contact with the purchasing team regarding face masks and
hand sanitizer.
We can urgently supply 3PY, N95, KN95, FFP2, FFP3, Hand Sanitizers, Gloves,
Hazmat Suits at a great price.
*Please check:* http://www.ppekits.net/supply/
Let me know if you have any questions.
Th
Jerome,
Thanks for the clarification.
This string:
CHACHA20:AESGCM:AESCCM:!RSA
resulted in an F grade from SSL Labs due to the inclusion of TLS_DH_anon
ciphers:
[cid:image001.jpg@01D61902.1FDF86A0]
After adding the following to the end of the string, scored an A+:
:!aNULL
Norman Branits
27 matches
Mail list logo
