How to configure DH groups for TLS 1.3

Hello everyone, I’m hardening HAProxy for CVE-2002-20001 (DHEAT attack) at the moment. For TLS 1.2 I’m using the “tune.ssl.default-dh-param” option to limit the key size to 2048 bit so that an attacker can’t force huge keys and thus lots of CPU cycles on the server. However, I’ve noticed that

Re: How to check if a domain is known to HAProxy

lemand Date: Wednesday, 3. April 2024 at 11:31 To: Froehlich, Dominik Cc: haproxy@formilux.org Subject: Re: How to check if a domain is known to HAProxy On Wed, Apr 03, 2024 at 07:47:44AM +, Froehlich, Dominik wrote: > Subject: How to check if a domain is known to HAProxy > Hello everyo

How to check if a domain is known to HAProxy

Hello everyone, This may be kind of a peculiar request. We have the need to block requests that are not in the crt-list of our frontend. So, the expectation would be that HAProxy does a lookup of the domain (as it does for the crt-list entry) but for domain-fronted requests, i.e. we have to ch

Re: Question regarding option redispatch interval

happy new year to everyone! D From: Froehlich, Dominik Date: Friday, 22. December 2023 at 15:13 To: haproxy@formilux.org Subject: Question regarding option redispatch interval You don't often get email from dominik.froehl...@sap.com. Learn why this is important<https:

Question regarding option redispatch interval

Hello, I’m trying to enable retries with redispatch on my HAProxy (v2.7.11) Here is my config for testing: defaults option redispatch retries 6 timeout connect 500ms frontend myfrontend bind :443 ssl crt /etc/cert/server.pem crt-list /crt-list default_backend test backend test ser

HAProxy 2.7.7: Unexpected messages during shutdown after upgrade

Hi everyone, We have deployed 2.7.7 recently, to verify the CPU spike fixes we observed in https://github.com/haproxy/haproxy/issues/2046 The spikes seem to be fixed now. However, we are now observing log messages during shutdown that weren’t there before: May 12, 2023 @ 11:56:24.000 Pro

OpenSSL 1.1.1 vs 3.0 client cert verify "x509_strict" issues

Hello HAproxy community! We’ve recently updated from OpenSSL 1.1.1 to OpenSSL 3.0 for our HAproxy deployment. We are now seeing some client certificates getting denied with these error messages: “SSL client CA chain cannot be verified”/“error:0A86:SSL routines::certificate verify failed”

Re: 2.5: Possibility to upgrade http/1.0 clients to http/1.1?

Hi Willy, Thanks for the fruitful discussion! I’ve opened https://github.com/haproxy/haproxy/issues/1691 to track this feature request. Best Regards, Dominik From: Willy Tarreau Date: Monday, 9. May 2022 at 10:59 To: Froehlich, Dominik Cc: haproxy@formilux.org Subject: Re: 2.5: Possibility

Re: 2.5: Possibility to upgrade http/1.0 clients to http/1.1?

e path, but well… that’s how they did it back then) Best Regards, Dominik From: Willy Tarreau Date: Sunday, 8. May 2022 at 11:36 To: Froehlich, Dominik Cc: haproxy@formilux.org Subject: Re: 2.5: Possibility to upgrade http/1.0 clients to http/1.1? Hello Dominik, On Thu, May 05, 2022 at 07:5

2.5: Possibility to upgrade http/1.0 clients to http/1.1?

Hello everyone, We recently bumped our HAproxy deployment to 2.5 and are now getting hit by this fix: MEDIUM: mux-h1: Reject HTTP/1.0 GET/HEAD/DELETE requests with a payload http://git.haproxy.org/?p=haproxy-2.5.git;a=blob_plain;f=CHANGELOG The issue is we have many legacy customers using ver

Re: FW: Question regarding backend connection rates

Date: Saturday, 20. November 2021 at 10:01 To: Froehlich, Dominik Cc: haproxy@formilux.org Subject: Re: FW: Question regarding backend connection rates Hi Dominik, On Fri, Nov 19, 2021 at 08:42:40AM +, Froehlich, Dominik wrote: > However, the number of "current sessions" at t

Re: Supported certificate formats?

: Monday, 2. August 2021 at 20:14 To: "Froehlich, Dominik" Subject: Re: Supported certificate formats? if you are familiar with Wireshark, I suggest to capture Client Hello <--> Server Hello. certificates are displayed there, so you can see whether haproxy sends its certificate (and cha

Supported certificate formats?

Hi, We have an issue with a client certificate in DER (binary) encoded PKCS7 format (.p7b). The file contains the full certificate chain and the CA-file at HAproxy matches the root CA of the chain, so it should work. However, the client connecting receives an “unknown CA” alert and HAproxy says

Re: SNI spoofing in HAproxy?

rhus" wrote: Dominik, On 6/25/21 10:42 AM, Froehlich, Dominik wrote: > Your code sends a 421 if the SNI and host header don't match. > Is this the recommended behavior? The RFC is pretty thin here: > > " Since it is possible for a client to pr

Re: SNI spoofing in HAproxy?

t only prevented it for mTLS Requests. Maybe like this: > http-request set-header Host %[ssl_fc_sni] if { ssl_c_used } What are your thoughts? Best regards, Dom On 24.06.21, 16:05, "Tim Düsterhus" wrote: Dominik, On 6/24/21 3:29 PM, Froehlich, Dominik wrote:

SNI spoofing in HAproxy?

Hi, Not sure if you would call this a security issue, hence I am asking this on the mailing list prior to opening a github issue: I’ve noticed that it is really easy to bypass the check on client certificates of a domain when the client can present a valid certificate for another domain. Consi

HAproxy soft reload timeout?

Hi, I am currently experimenting with the HAproxy soft reload functionality (USR2 to HAproxy master process). From what I understood, a new worker is started and takes over the listening sockets while the established connections remain on the previous worker until they are finished. The worker

HAproxy 2.2.5 possible bug in ssl crt-list socket commands?

Hi, I am trying to implement a dynamic certificate updater for my crt-list in HAproxy 2.2.5. I have noticed that somehow, when I update an existing certificate and add it to the crt-list twice, I can never remove it again. Here is what I am doing at the moment: Step 1: Add a new certificate e

Logging mTLS handshake errors

Hi everyone, Some of our customers are using mTLS to authenticate clients. There have been complaints that some certificates don’t work but we don’t know why. To shed some light on the matter, I’ve tried to add more info to our log format regarding TLS validation: log-format "%ci:%cp [%tr] (%ID

Re: Several CVEs in Lua 5.4

bundled version (currently HAproxy 1.9.15 with Lua 5.3.5) but I don't know if it is safe to bump the Lua version only. Thanks and regards, D On 29.07.20, 11:06, "Lukas Tribus" wrote: Hello, On Wed, 29 Jul 2020 at 10:23, Froehlich, Dominik wrote: >

Several CVEs in Lua 5.4

Hello everyone, Not sure if this is already addressed. Today I got a CVE report of several issues with Lua 5.3.5 up to 5.4. I believe Lua 5.4 is currently recommended to build with HAproxy 2.x? Before I open an issue on github I would like to ask if these are already known / addressed: Lua 5.3

MINOR: http: Fixed small typo in parse_http_return

Hi, While looking for the solution for another problem I found a couple of small typos in a warning. Thanks for review/merge. Regards, Dominik Froehlich dominik.fro...@gmail.com dominik.froehl...@sap.com 0001-MINOR-http-Fixed