show stat (CSV format) seems broken .

Hi All, Enabling agent-check brokes the parsing of the show stat's CSV for multiple script/soft parser I use: 3934 recvfrom(7, "L7OK,200,0,0,0,0,0,0,00,0,0,-1,,\"agent warns : Backend is using a static LB algorithm and only accepts weights '0%' and ", 128, 0, NULL, NULL) = 128 3935

Re: [PATCH] fine guard for ssl random extraction functions

On 3/26/21 3:10 PM, William Lallemand wrote: > On Fri, Mar 26, 2021 at 03:02:27PM +0100, Willy Tarreau wrote: >> On Fri, Mar 26, 2021 at 06:45:22PM +0500, ??? wrote: >>> Ping :) >> >> Ilya, please use the MAINTAINERS file to be sure to direct your messages >> to the relevant maintainers,

Re: [PR] Skip unsupported ciphers for ecdsa cert

Hi Marcoen, Before resubnmit, elease remember to use more explicit variables to know server/client side cipher list. R, Emeric On 12/1/20 10:26 AM, Marcoen Hirschberg wrote: > Thanks, they are now enabled. > > I've fixed boringssl builds and tested it with libressl locally as well. > > I

Re: [PR] Add srvkey option to stick-table

Hi, On 11/30/20 10:23 AM, PR Bot wrote: > Dear list! > > Author: Thayne McCombs > Number of patches: 2 > > This is an automated relay of the Github pull request: >Add srvkey option to stick-table > > Patch title(s): >Add srvkey option to stick-table >Harden sa2str agains

Re: Question: How to not reset the TTL on a stick table entry?

Hi Nick, On 11/2/20 10:26 PM, Nick Ramirez wrote: > Hello, > > In my HAProxy config, I would like to ban people for a certain amount of time > by setting a general-purpose counter from 0 to 1, where 1 = banned, in a > stick table. When the stick table entry expires, the counter is reset to 0

Re: DNS Load balancing needs feedback and advice.

Hi Dinko, > Sadly I haven’t had Kube-DNS anywhere and i think that CoreDNS is supposed to > be way to go from Kube-DNS. Hope this helps. It does. Really appreciate! R, Emeric

Re: DNS Load balancing needs feedback and advice.

Hi Dinko, On 11/3/20 11:52 AM, Dinko Korunic wrote: > On 3 Nov 2020, at 10:51, Emeric Brun wrote: >> >>> […] >>> >>> We are requesting the community and experienced users of DNS servers to >>> share their thoughts about this. >> >

Re: DNS Load balancing needs feedback and advice.

Hi All, On 11/2/20 3:41 PM, Emeric Brun wrote: > Hi All, > > We are currently studying to develop a DNS messages load balancer (into > haproxy core) > > After a global pass on RFCs (DNS, DNS over TCP, eDNS, DNSsec ...) we noticed > that practices on DNS have largely evol

Re: DNS Load balancing needs feedback and advice.

Hi Lukas, > I find this a little surprising given that there already is a great > DNS load-balancer out there (dnsdist) from the folks at powerdns and > when I look at the status of the haproxy resolver, I don't feel like > DNS sparkes a huge amount of developer interest. Loadbalancing DNS > will

DNS Load balancing needs feedback and advice.

Hi All, We are currently studying to develop a DNS messages load balancer (into haproxy core) After a global pass on RFCs (DNS, DNS over TCP, eDNS, DNSsec ...) we noticed that practices on DNS have largely evolved since stone age. Since the last brainstorm meeting I had with Baptiste Assmann

Re: [PATCH 2/2] MINOR: ssl: add ssl_c_chain_der fetch method

Hi Williams, > +/* binary, returns a chain certificate in a binary chunk (der/raw). > + * The 5th keyword char is used to support only peer cert > + */ > +static int > +smp_fetch_ssl_x_chain_der(const struct arg *args, struct sample *smp, const > char *kw, void *private) > +{ > + struct

Re: [PATCH] BUG/MEDIUM: sink: fix crash when null sink is used in __do_send_log

Hi Daniel, Willy, On 6/19/20 9:22 PM, Willy Tarreau wrote: > Hi Daniel, > > On Thu, Jun 18, 2020 at 12:35:29AM -0400, Daniel Corbett wrote: >> Hello, >> >> >> When using a ring log in combination with proto fcgi, it was possible >> to cause a crash by sending a request for a non-existent fastcgi

Re: Peers Protocol "Table Type"

Hi All, On 6/2/20 1:10 PM, Tim Düsterhus wrote: > Emeric, > > Am 02.06.20 um 11:29 schrieb Emeric Brun: >> In attachement a proposed patch for this issue. >> > > Thanks. The changes to the doc look good to me. > > Regarding peers.c: > >> +/* ne

Re: Peers Protocol "Table Type"

Hi Tim, Willy, On 3/20/20 3:01 PM, Tim Düsterhus wrote: > Emeric, > > Am 20.03.20 um 14:29 schrieb Emeric Brun: >> So I understand that since 1.6 the SMP_T are directly announced on the wire >> for key types, and it brokes the documented values and this is hazardous to >

Re: [PR] Add verfied chain

Hi All, On 5/18/20 4:32 PM, William Dauchy wrote: > On Mon, May 18, 2020 at 3:58 PM William Lallemand > wrote: >> I suppose it was put in a PKCS7 container to be able to distinguish each >> DER part of the chain easily? So It can be used by an external tool. I'm not >> sure of what is done with

Re: Peers Protocol "Table Type"

Salut Willy, > >> The documented values are not used on any still supported haproxy's version. >> So I think it would be better to update the doc with the new ones >> and add a mapping to avoid further changes. > > Yep definitely. J'essaye de finir les scripts pour la gestion du SSD, et je

Re: Peers Protocol "Table Type"

Hi Tim, On 3/20/20 3:01 PM, Tim Düsterhus wrote: > Emeric, > > Am 20.03.20 um 14:29 schrieb Emeric Brun: >> So I understand that since 1.6 the SMP_T are directly announced on the wire >> for key types, and it brokes the documented values and this is hazardous to >> r

Re: Peers Protocol "Table Type"

Hi Willy, On 3/20/20 2:53 PM, Willy Tarreau wrote: > Hi Emeric, > > On Fri, Mar 20, 2020 at 02:29:48PM +0100, Emeric Brun wrote: >> So I understand that since 1.6 the SMP_T are directly announced on the wire >> for key types, and it brokes the documented values and this is

Re: Peers Protocol "Table Type"

On 3/14/20 12:47 PM, Willy Tarreau wrote: > On Sat, Mar 14, 2020 at 12:20:00PM +0100, Tim Düsterhus wrote: >> Willy, >> >> Am 14.03.20 um 12:13 schrieb Willy Tarreau: >>> Yes, feel free to do so, this will definitely help get it eventually done. >> >> Here it is:

Re: [PATCH] BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1

On 11/18/19 2:40 PM, William Lallemand wrote: > On Fri, Nov 15, 2019 at 06:49:10PM +0100, Willy Tarreau wrote: >> On Wed, Nov 06, 2019 at 06:47:50PM +0100, Emmanuel Hocdet wrote: >>> Hi, >>> >>> Very difficult to trigger the bug, except with spécific test configuration >>> like: >>> crt-list: >>>

Re: [External] Re: QAT intermittent healthcheck errors

Hi Marcin, > > Thank you Marcin, It shows that haproxy is waiting for an event on all those > fds because a crypto jobs were launched on the engine > and we can't free the session until the end of this job (it would result in a > segfault). > > So the processes are stucked, unable to free

Re: [External] Re: QAT intermittent healthcheck errors

On 5/7/19 3:35 PM, Marcin Deranek wrote: > Hi Emeric, > > On 5/7/19 1:53 PM, Emeric Brun wrote: >> On 5/7/19 1:24 PM, Marcin Deranek wrote: >>> Hi Emeric, >>> >>> On 5/7/19 11:44 AM, Emeric Brun wrote: >>>> Hi Marcin,>>>>>&

Re: [External] Re: QAT intermittent healthcheck errors

On 5/7/19 1:24 PM, Marcin Deranek wrote: > Hi Emeric, > > On 5/7/19 11:44 AM, Emeric Brun wrote: >> Hi Marcin,>>>>>> As I use HAProxy 1.8 I had to adjust the patch (see >> attachment for end result). Unfortunately after applying the patch there is >&

Re: QAT intermittent healthcheck errors

Hi Marcin,>> As I use HAProxy 1.8 I had to adjust the patch (see attachment for end result). Unfortunately after applying the patch there is no change in behavior: we still leak /dev/usdm_drv descriptors and have "stuck" HAProxy instances after reload.. >>> Regards, >> >> Could you perform

Re: QAT intermittent healthcheck errors

Hi Marcin, On 5/6/19 3:31 PM, Emeric Brun wrote: > Hi Marcin, > > On 5/6/19 3:15 PM, Marcin Deranek wrote: >> Hi Emeric, >> >> On 5/3/19 5:54 PM, Emeric Brun wrote: >>> Hi Marcin, >>> >>> On 5/3/19 4:56 PM, Marcin Deranek wrote: >>

Re: QAT intermittent healthcheck errors

Hi Marcin, On 5/6/19 3:15 PM, Marcin Deranek wrote: > Hi Emeric, > > On 5/3/19 5:54 PM, Emeric Brun wrote: >> Hi Marcin, >> >> On 5/3/19 4:56 PM, Marcin Deranek wrote: >>> Hi Emeric, >>> >>> On 5/3/19 4:50 PM, Emeric Brun wrote: >>>

Re: [External] Re: QAT intermittent healthcheck errors

Hi Marcin, On 5/3/19 4:56 PM, Marcin Deranek wrote: > Hi Emeric, > > On 5/3/19 4:50 PM, Emeric Brun wrote: > >> I've a testing platform here but I don't use the usdm_drv but the >> qat_contig_mem and I don't reproduce this issue (I'm using QAT 1.5, as the >>

Re: [External] Re: QAT intermittent healthcheck errors

s > /dev/uio19 > /dev/uio3 > /dev/uio35 > /dev/usdm_drv > > * 2nd gen: > > # ls -al /proc/41637/fd|awk '/dev/ {print $NF}'|sort > /dev/null > /dev/null > /dev/qat_adf_ctl > /dev/qat_adf_ctl > /dev/qat_adf_ctl > /dev/qat_dev_processes > /dev/uio23 >

Re: [External] Re: QAT intermittent healthcheck errors

Hi Marcin, On 4/29/19 6:41 PM, Marcin Deranek wrote: > Hi Emeric, > > On 4/29/19 3:42 PM, Emeric Brun wrote: >> Hi Marcin, >> >>> >>>> I've also a contact at intel who told me to try this option on the qat >>>> engine: >

Re: leak of handle to /dev/urandom since 1.8?

Hi Lukas, On 5/3/19 1:49 PM, William Lallemand wrote: > On Fri, May 03, 2019 at 01:38:00PM +0200, Lukas Tribus wrote: >> Hello everyone, >> >> >> On Fri, 3 May 2019 at 12:50, Robert Allen1 wrote: >>> +#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L) >>> + if

Re: QAT intermittent healthcheck errors

Hi Marcin, > >> I've also a contact at intel who told me to try this option on the qat >> engine: >> >>> --disable-qat_auto_engine_init_on_fork/--enable-qat_auto_engine_init_on_fork >>> Disable/Enable the engine from being initialized automatically >>> following a >>> fork operation.

Re: [External] Re: QAT intermittent healthcheck errors

Hi Marcin, On 4/19/19 3:26 PM, Marcin Deranek wrote: > Hi Emeric, > > On 4/18/19 4:35 PM, Emeric Brun wrote: >>> An other interesting trace would be to perform a "show sess" command on a >>> stucked process through the master cli. >> >> And a

Re: QAT intermittent healthcheck errors

On 4/18/19 11:06 AM, Emeric Brun wrote: > Hi Marcin, > > On 4/12/19 6:10 PM, Marcin Deranek wrote: >> Hi Emeric, >> >> On 4/12/19 5:26 PM, Emeric Brun wrote: >> >>> Do you have ssl enabled on the server side? >> >> Yes,

Re: QAT intermittent healthcheck errors

Hi Marcin, On 4/12/19 6:10 PM, Marcin Deranek wrote: > Hi Emeric, > > On 4/12/19 5:26 PM, Emeric Brun wrote: > >> Do you have ssl enabled on the server side? > > Yes, ssl is on frontend and backend with ssl checks enabled. > >> If it is the case could repla

Re: [External] Re: QAT intermittent healthcheck errors

to miss a cleanup of their ssl sessions using the QAT. (this is just an assumption) R, Emeric On 4/12/19 4:43 PM, Marcin Deranek wrote: > Hi Emeric, > > On 4/10/19 2:20 PM, Emeric Brun wrote: > >> On 4/10/19 1:02 PM, Marcin Deranek wrote: >>> Hi Emeric, >&

Re: [External] Re: QAT intermittent healthcheck errors

Hi Marcin, > You can also use the 'master CLI' using '-S' and you could check if it > remains sessions on those older processes (doc is available in management.txt) Here the doc: https://cbonte.github.io/haproxy-dconv/1.9/management.html#9.4 Emeric

Re: [External] Re: QAT intermittent healthcheck errors

Hi Marcin, On 4/10/19 1:02 PM, Marcin Deranek wrote: > Hi Emeric, > > Our process limit in QAT configuration is quite high (128) and I was able to > run 100+ openssl processes without a problem. According to Joel from Intel > problem is in cleanup code - presumably when HAProxy exits and frees

Re: QAT intermittent healthcheck errors

Hi Marcin, On 4/9/19 3:07 PM, Marcin Deranek wrote: > Hi Emeric, > > I have followed all instructions and I got to the point where HAProxy starts > and does the job using QAT (backend healthchecks work and I frontend can > provide content over HTTPS). The problems starts when HAProxy gets

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

On 3/22/19 12:04 PM, Nenad Merdanovic wrote: > I've just renamed the converter based on Emeric's suggestion. And fixed a > typo in the doc of course. > > Regards, > Nenad > Thanks Nenad, well done! R, Emeric

Re: [PATCH] ssl: ability to set TLS 1.3 ciphers using ssl-default-server-ciphersuites

Hi Pierre, On 3/21/19 5:15 PM, Pierre Cheynier wrote: > Any attempt to put TLS 1.3 ciphers on servers failed with output 'unable > to set TLS 1.3 cipher suites'. > > This was due to usage of SSL_CTX_set_cipher_list instead of > SSL_CTX_set_ciphersuites in the TLS 1.3 block (protected by >

Re: [External] Re: QAT intermittent healthcheck errors

Hi Marcin, On 3/11/19 4:27 PM, Marcin Deranek wrote: > On 3/11/19 11:51 AM, Emeric Brun wrote: > >> Mode async is enabled on both sides, server and frontend side. >> >> But on server side, haproxy is using session resuming, so there is a new key >> computatio

Re: QAT intermittent healthcheck errors

On 3/11/19 11:51 AM, Emeric Brun wrote: > On 3/11/19 11:06 AM, Marcin Deranek wrote: >> Hi Emeric, >> >> On 3/8/19 11:24 AM, Emeric Brun wrote: >>> Are you sure that servers won't use ECDSA certificates? Do you check that >>> conn are successful forcing 'ECD

Re: QAT intermittent healthcheck errors

On 3/11/19 11:06 AM, Marcin Deranek wrote: > Hi Emeric, > > On 3/8/19 11:24 AM, Emeric Brun wrote: >> Are you sure that servers won't use ECDSA certificates? Do you check that >> conn are successful forcing 'ECDHE-RSA-AES256-GCM-SHA384' > > Backend servers o

Re: QAT intermittent healthcheck errors

Hi Marcin, On 3/7/19 6:43 PM, Marcin Deranek wrote: > Hi, > > On 3/6/19 6:36 PM, Emeric Brun wrote: >> According to the documentation: >> >> ssl-mode-async >>    Adds SSL_MODE_ASYNC mode to the SSL context. This enables asynchronous TLS >>    I/O operati

Re: QAT intermittent healthcheck errors

Hi Marcin, On 3/7/19 6:43 PM, Marcin Deranek wrote: > Hi, > > On 3/6/19 6:36 PM, Emeric Brun wrote: >> According to the documentation: >> >> ssl-mode-async >>    Adds SSL_MODE_ASYNC mode to the SSL context. This enables asynchronous TLS >>    I/O operati

Re: QAT intermittent healthcheck errors

Hi Marcin, On 3/6/19 3:23 PM, Marcin Deranek wrote: > Hi, > > In a process of evaluating performance of Intel Quick Assist Technology in > conjunction with HAProxy software I acquired Intel C62x Chipset card for > testing. I configured QAT engine in the following manner: > > *

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

Hi Willy, On 1/21/19 6:38 PM, Dirkjan Bussink wrote: > Hi Emeric, > >> On 21 Jan 2019, at 08:06, Emeric Brun wrote: >> >> Interesting, it would be good to skip the check using the same method. >> >> We must stay careful to not put the OP_NO_RENEG flag

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

Hi Willy, On 1/21/19 6:38 PM, Dirkjan Bussink wrote: > Hi Emeric, > >> On 21 Jan 2019, at 08:06, Emeric Brun wrote: >> >> Interesting, it would be good to skip the check using the same method. >> >> We must stay careful to not put the OP_NO_RENEG flag

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

On 1/21/19 3:37 PM, Dirkjan Bussink wrote: > Hi all, > >> On 21 Jan 2019, at 02:01, Emeric Brun wrote: >> >> Is there a way to check this is a keyupdate message which trigger the >> callback (and not an other)? > > Sadly there is not. I had taken a look

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

Hi Adam, On 1/20/19 10:12 PM, Adam Langley wrote: > KeyUpdate messages are a feature of TLS 1.3 that allows the symmetric > keys of a connection to be periodically rotated. It's > mandatory-to-implement in TLS 1.3, but not mandatory to use. Google > Chrome tried enabling KeyUpdate and promptly

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi Manu, On 1/7/19 5:59 PM, Emmanuel Hocdet wrote: > It's better with patches… > >> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet > > a écrit : >> >> Hi, >> >> Following the first patch series (included). >> The goal is to deduplicate common certificates in memory and in shared

Re: sample/fetch support for TLS extensions

Hello Alexey, On 10/18/18 11:17 PM, Lukas Tribus wrote: > Hello Alexey, > > > On Tue, 16 Oct 2018 at 14:18, Alexey Elymanov wrote: >> >> I would like to propose a little patch, based on current ssl_capture >> (ssl_sock.c) scheme. >> Purpose is to be able to sample/fetch TLS extensions, it

Re: TLS 1.3 options available with OpenSSL 1.1.1

Hi Dirkjan, On 09/24/2018 11:55 AM, Dirkjan Bussink wrote: > Hi all, > > Given all the critical security issue and that you all were busy with that, I > suspect this didn’t get much additional eyes. Now that that fix is out the > door, I’m wondering if there’s any feedback or further input for

Re: TLS 1.3 options available with OpenSSL 1.1.1

Hi Lukas, Dirkjan, On 09/13/2018 10:17 PM, Lukas Tribus wrote: > Hello Dirkjan, > > > On Thu, 13 Sep 2018 at 16:44, Dirkjan Bussink wrote: >> So with a new API call, does that mean adding for example a `ciphersuites` >> option that works similar to `ciphers` today that it accepts a string and

Re: BUG/MEDIUM ssl: Fix loading of dhaparams in multicert setups.

Hi Francisco, On 09/10/2018 02:43 PM, klondike wrote: > El 10/09/18 a las 11:25, Emeric Brun escribió: >> Hi Fransisco, > Hi Emeric! > > First of all thanks for taking the time to review my patch. It is my > first time contributing (and it was also my first time using) HA

Re: BUG: ssl: regression with openssl 1.1.1 when using <= TLSv1.2

Hi Lukas, On 09/02/2018 03:31 PM, Lukas Tribus wrote: > Hello, > > > On Sat, 1 Sep 2018 at 20:49, Lukas Tribus wrote: >>> I've confirmed the change in behavior only happens with an ECC >>> certificate, an RSA certificate is not affected. >> >> Just to confirm that this is still an actual

Re: [Patch] multiple key type bundles are not loaded correctly in certain cases

ic >From b7698752256a405ee32f0ac412eec7a25163c459 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Thu, 16 Aug 2018 15:14:12 +0200 Subject: [PATCH 2/2] BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. If the dh parameter is not found, the openssl's error g

Re: Bug when passing variable to mapping function

p->data.u.str.str is for example >> 'distri.com' and after get_trash_chunk() smp->data.u.str.str >> is '\000istri.com'. >> >> At the moment I don't have time to dig deeper, but hopefully this >> helps a little bit. > > Thanks for the detailed analysis, rel

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hi Lukas, On 06/27/2018 04:48 AM, Willy Tarreau wrote: > On Wed, Jun 27, 2018 at 01:44:08AM +0200, Lukas Tribus wrote: >> Hey guys, >> >> >> FYI after lots of discussions with openssl folks: >> >> https://github.com/openssl/openssl/issues/5330 >> https://github.com/openssl/openssl/pull/6388 >>

Re: haproxy and solarflare onload

Hi Elias, On 05/28/2018 04:08 PM, Elias Abacioglu wrote: > Hi Willy and HAproxy folks! > > Sorry for bumping this old thread. But Solarflare recently released a new > Onload version. > http://www.openonload.org/download/openonload-201805-ReleaseNotes.txt >

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hi Lukas, On 05/24/2018 11:27 AM, Lukas Tribus wrote: > Hi Emeric, > > > On 24 May 2018 at 11:19, Emeric Brun <eb...@haproxy.com> wrote: >> in pre6 there is a news wrapping function on getrandom which have different >> fallback way to use the syscall. >&

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hi Lukas, On 05/23/2018 09:48 PM, Lukas Tribus wrote: > Hello, > > > On 23 May 2018 at 18:29, Emeric Brun <eb...@haproxy.com> wrote: >> This issue was due to openssl-1.1.1 which re-seed after an elapsed time or >> number of request. >> >> If /dev/uran

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hi Sander, Lukas, On 05/23/2018 02:32 PM, Lukas Tribus wrote: > Hello, > > On 23 May 2018 at 13:10, Sander Hoentjen wrote: >> I can confirm the issue is gone when I don't use chroot. I will try to >> see if I can get more info like a strace soon. I won't be able to today >>

Re: Dynamically adding/deleting SSL certificates

Hi Auréline On 05/18/2018 11:07 AM, Aurélien Nephtali wrote: > Hello, > > On Wed, Apr 18, 2018 at 9:34 PM, Aurélien Nephtali > wrote: >> Hello, >> >> I have some patches to support dynamically loading and unloading PEM >> certificates through the CLI. It is mainly a

Re: [RFC PATCH] MINOR: ssl: set SSL_OP_PRIORITIZE_CHACHA

Hi Lukas, Willy, On 05/18/2018 05:55 PM, Lukas Tribus wrote: > Sets OpenSSL 1.1.1's SSL_OP_PRIORITIZE_CHACHA unconditionally, as per [1]: > > When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize > ChaCha20-Poly1305 ciphers to the top of the server cipher list if a >

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hi Sander, On 05/22/2018 02:04 PM, Sander Hoentjen wrote: > On 05/22/2018 12:04 PM, Lukas Tribus wrote: >> Hello, >> >> On 22 May 2018 at 11:48, Sander Hoentjen wrote: >>> I did, but I still experience the same issues. What is your exact >>> haproxy version you tested with?

Re: BUG: ssl: regression with openssl 1.1.1 when using <= TLSv1.2

Hi Lukas, I've just made some tests using openssl-1.1.1-pre6 and can't reproduce the issue. here my simple configuration: frontend my mode http bind :443 ssl crt default strict-sni redirect location / (default certificate CN is aloha) I've tested with

Re: [PATCH 2/2] MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key'

Hi Patrick, On 04/29/2018 01:15 AM, Patrick Hemmer wrote: > > These fetches return the SSL master key of the front/back connection. > This is useful to decrypt traffic encrypted with ephemeral ciphers. > --- > doc/configuration.txt | 13 + > src/ssl_sock.c| 35

Re: [PATCH 1/2] MINOR: ssl: disable SSL sample fetches when unsupported

Hi Patrick, On 04/29/2018 01:15 AM, Patrick Hemmer wrote: > > Previously these fetches would return empty results when HAProxy was > compiled > without the requisite SSL support. This results in confusion and problem > reports from people who unexpectedly encounter the behavior. > --- >

Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4

On 04/16/2018 02:30 PM, Dmitry Sivachenko wrote: > >> On 07 Apr 2018, at 17:38, Emmanuel Hocdet wrote: >> >> >> I Andy >> >>> Le 31 mars 2018 à 16:43, Andy Postnikov a écrit : >>> >>> I used to rework previous patch from Alpinelinux to build with latest

Re: Warning: upgrading to openssl master+ enable_tls1_3 (coming v1.1.1) could break handshakes for all protocol versions .

Hi Lukas, > > FYI OpenSSL did a 180 on this, they are implemented a new API call to > set TLSv1.3 ciphers and enable them by default: > > https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0 > >

Warning: upgrading to openssl master+ enable_tls1_3 (coming v1.1.1) could break handshakes for all protocol versions .

Hi All, FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3 in your cipher list. https://github.com/openssl/openssl/issues/5057

Re: haproxy+QAT memory usage very high under busy traffic

Hi Julian, On 01/09/2018 03:28 PM, Willy Tarreau wrote: > Hi Julian, > > On Tue, Jan 09, 2018 at 08:50:48AM +, Julian Zhu wrote: >> We are testing haproxy+QAT card(Intel QuickAssist-Technology) and find that >> the memory usage of haproxy+QAT is much higher than that of haproxy alone. >>

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

n > > me (I'll won't be very available for the next days). > > Thus I'll ping Emeric tomorrow as well so that we can issue 1.8.2 soon in > case someone wants to play with it on friday afternoon jus before xmas :-) > > Willy > > >From db483435c294541cba

Re: 回复：Haproxy SSl Termination performance issue

Hi Mike, Thierry is right, 4096 rsa key computation have clearly an heavy CPU cost. In our internal benchmark we notice: Using one process of haproxy on one core of i7-4790K CPU @ 4.00GHz we reach 170 con/s (comparatively 1350 con/s using 2048 rsa key). Usually this CPU usage isn't so high

Re: [PATCH] BUG/MEDIUM: email-alert: don't set server check status from a email-alert task

Hi Pieter, I'm CCing Christopher, he did some test on your patch. R, Emeric On 12/06/2017 07:06 AM, Willy Tarreau wrote: > Hi Pieter, > > CCing Emeric since these parts have changed a bit for threads and > there may be some subtle things we oversee. > > thanks for this! > Willy > > On Wed,

Re: server DOWN and can not auto restore to MAINT state when use DNS SRV resolvers

Hi All, On 12/06/2017 04:00 AM, slene wrote: >>1. running two container and publish port 80 but not really listening >>to 80. > I simulate a service fault. (eg: port missed config). > And in step 2 the health check has layer4 failed: Connection refused. > >> As you writen in 3 there is "DNS NX"

Re: Fix building haproxy with recent LibreSSL

On 10/24/2017 05:57 PM, Emmanuel Hocdet wrote: > >> Le 3 août 2017 à 10:07, Willy Tarreau > a >> écrit : >> >> Hi Bernard, >> >> I'm CCing Emeric since this affects SSL. I have some comments below. >> >> On Tue, Jul 25, 2017 at 05:03:10PM +0200, Bernard Spil

Re: Possible bug in task_wakeup() impacts Lua tasks

Hi Adis, On 10/17/2017 05:48 PM, Emeric Brun wrote: > Hi Adis, > > On 10/17/2017 05:41 PM, Adis Nezirovic wrote: >> Hello guys, >> >> After this commit: >> >> commit 0194897e540cec67d7d1e9281648b70efe403f08 >> Author: Emeric Brun <eb...@ha

Re: Possible bug in task_wakeup() impacts Lua tasks

Hi Adis, On 10/17/2017 05:41 PM, Adis Nezirovic wrote: > Hello guys, > > After this commit: > > commit 0194897e540cec67d7d1e9281648b70efe403f08 > Author: Emeric Brun <eb...@haproxy.com> > Date: Thu Mar 30 15:37:25 2017 +0200 > > MAJOR: task: task

Re: [PATCH] MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use

Hi Thierry, On 09/01/2017 06:07 PM, Emmanuel Hocdet wrote: > Hi Thierry, > > This patch is related to « Capturing browser TLS cipher suites » thread. > I think it will be match the initial need but without internal ssl structure > usage and. > work with openssl 1.0.2 to 1.1.1 and boringssl. >

Re: [PATCH] MINOR: ssl: remove duplicate ssl_methods in struct bind_conf

On 08/09/2017 07:07 PM, Emmanuel Hocdet wrote: > Hi Willy, > > Patch is not related to openssl version x. It’s a internal structure cleanup. > I don’t label it as CLEANUP because it remove a potential source of errors > (this is debatable). > If you can consider it. > > Thanks. > Manu > > >

Re: [PATCH] MINOR: ssl: remove duplicate ssl_methods in struct bind_conf

Hi Manu, On 09/01/2017 05:56 PM, Emmanuel Hocdet wrote: > > Hi Willy, Emeric > > Can you consider it? > > ++ > Manu > >> Le 9 août 2017 à 19:07, Emmanuel Hocdet a écrit : >> >> Hi Willy, >> >> Patch is not related to openssl version x. It’s a internal structure cleanup. >> I

Re: Feature request: disable CA/distinguished names.

Hi Manu, Could you add a block '{ }' or move the comment on the comment on following lines: + if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) + /* set CA names fo client cert request, function returns void */

Re: [PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0

Hi Manu, On 07/12/2017 03:23 PM, Willy Tarreau wrote: > Hi Manu! > > Please don't forget to CC Emeric and keep in mind that I still don't > understand anything about openssl, so for me it's always a huge pain > each time to try to have an opinion on openssl related changes. > > On Wed, Jul 12,

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

with -dM or -DDEBUG_MEMORY), another commit... > Now it points to 23e9e931 (MINOR: log: Add logurilen tunable). > > Hi Lukas, Indeed this commit introduced a regression. The commit in attachment should fix the issue. R, Emeric >From 595396561c380aa100e2c1f80299e5fadd18e663 Mon Se

Re: OpenSSL engine and async support

Hi Grant, Willy, On 05/27/2017 09:03 PM, Grant Zhang wrote: > >> On May 26, 2017, at 22:21, Willy Tarreau wrote: >> >> Hi Emeric, Grant, >> >> patch set now merged! Thank you both for this great work! >> >> Willy > > Bravo! Really appreciate your and Emeric's help in this effort. >

Re: OpenSSL engine and async support

Hi Willy, On 05/17/2017 10:10 PM, Willy Tarreau wrote: > Hi Emeric, > > On Wed, May 17, 2017 at 09:49:32PM +0200, Emeric Brun wrote: >> More fixes, it appears stable now, even if session are closed during >> handshake. >> >> I also added the support of mul

Re: [PATCH] MINOR: boringssl: basic support for OCSP Stapling

Hi Manu, On 03/29/2017 04:46 PM, Emmanuel Hocdet wrote: > > Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with > '.ocsp' extension. CLI update is not supported. > Could you add this detail in the doc? R, Emeric

Re: OpenSSL engine and async support

Hi Grant, On 05/16/2017 12:05 PM, Emeric Brun wrote: > Hi Grant, > > On 05/15/2017 08:11 PM, Grant Zhang wrote: >> >>> On May 15, 2017, at 03:14, Emeric Brun <eb...@haproxy.com> wrote: >>> >>> What does it look like? >> New patches atta

Re: OpenSSL engine and async support

Hi Grant, On 05/15/2017 08:11 PM, Grant Zhang wrote: > >> On May 15, 2017, at 03:14, Emeric Brun <eb...@haproxy.com> wrote: >> >> What does it look like? > New patches attached. > >> >> The issue is very similar: >> https://mta.opens

Re: OpenSSL engine and async support

Hi Grant, On 05/15/2017 12:14 PM, Emeric Brun wrote: > On 05/13/2017 01:14 AM, Grant Zhang wrote: >> >>> On May 10, 2017, at 04:51, Emeric Brun <eb...@haproxy.com> wrote: >>> >>>> It looks like the main process stalls at DH_free(local_dh_1024) (part of

Re: OpenSSL engine and async support

On 05/13/2017 01:14 AM, Grant Zhang wrote: > >> On May 10, 2017, at 04:51, Emeric Brun <eb...@haproxy.com> wrote: >> >>> It looks like the main process stalls at DH_free(local_dh_1024) (part of >>> __ssl_sock_deinit). Not sure why but I will debug a

Re: OpenSSL engine and async support

Hi Grant, On 05/09/2017 10:38 PM, Grant Zhang wrote: > >> On May 9, 2017, at 02:38, Emeric Brun <eb...@haproxy.com> wrote: >> >> Hi Grant, >> >> On 05/06/2017 12:41 AM, Grant Zhang wrote: >>> Hi Emeric, >>> >>> Thanks for your r

Re: OpenSSL engine and async support

Hi Grant, On 05/06/2017 12:41 AM, Grant Zhang wrote: > Hi Emeric, > > Thanks for your review! Please see the updated patches and let me know if > your comments have been properly addressed. > > Thanks, > > Grant > > > > > > > >> On Ma

Re: [Patches] TLS methods configuration reworked

Hi, On 05/05/2017 06:12 PM, Emmanuel Hocdet wrote: > >> Le 5 mai 2017 à 17:21, Emmanuel Hocdet a écrit : >> >> Hi Emeric, >> >>> Le 28 avr. 2017 à 17:57, Emmanuel Hocdet a écrit : >>> >>> Hi Emeric, Willy >>> >>> Up the thread with a compatible configuration

Re: OpenSSL engine and async support

Hi Grant, An other issue: static void ssl_sock_close(struct connection *conn) { if (conn->xprt_ctx) { if (global_ssl.async) { /* the async fd is created and owned by the SSL engine, which is * responsible for fd closure.

Re: [Patches] TLS methods configuration reworked

lk with Manu. R, Emeric >From 83b1ff6ef56a0c2fb502552bb1525de7b843d0d6 Mon Sep 17 00:00:00 2001 From: Emeric Brun <eb...@haproxy.com> Date: Fri, 28 Apr 2017 16:19:51 +0200 Subject: [PATCH] BUG/MINOR: ssl: fix warnings about methods for opensslv1.1. This patch replaces the calls to TLSvX_X_c

Re: OpenSSL engine and async support

Hi Grant, >>> >> >> I've made a POC of a soft async engine. Based on dasync engine it launchs a >> thread on priv_rsa_enc to spread the load on multiple cores. >> >> Regarding openssl s_server it is efficient and scale very well depending the >> number of core (1700 rsa2048/s on one core, 7400

Re: OpenSSL engine and async support

Hi Grant, On 04/10/2017 05:16 PM, Grant Zhang wrote: > >> On Apr 10, 2017, at 07:42, Emeric Brun <eb...@haproxy.com> wrote: >> > >>> * openssl version (1.1.0b-e?) >> compiled 1.1.0e >>> >>> >> Could you provide patches rebased on

  1   2   >