Re: Logging SSL pre-master-key

Hi Patrick, On Fri, Jun 16, 2017 at 09:36:30PM -0400, Patrick Hemmer wrote: > The main reason I had for supporting the older code is that it seems > many (most?) linux distros, such as the one we use (CentOS/7), still > ship with 1.0.1 or 1.0.2. However since this is a minor change and a >

等待是二三流的客户，主动才有优质客户

我已邀请您填写以下表单： 等待是二三流的客户，主动才有优质客户 要填写此表单，请访问： https://docs.google.com/forms/d/e/1FAIpQLSdmNJJUHNn76tPxcad7i5eUi-_Tp1mprTtchk2YYEfvoMjeJw/viewform?c=0w=1usp=mail_form_link Google表单：创建调查问卷并分析调查结果。

Re: Logging SSL pre-master-key

On 2017/6/16 09:34, Willy Tarreau wrote: > Hi Patrick, > > On Mon, Jun 12, 2017 at 07:31:36PM -0400, Patrick Hemmer wrote: >> I patched my haproxy to add a ssl_fc_session_key fetch, and with the >> value I was able to decrypt my test sessions encrypted with >>

Re: Possible regression in 1.6.12

On 06/16/2017 03:20 PM, Willy Tarreau wrote: On Fri, Jun 16, 2017 at 03:10:56PM +0200, Willy Tarreau wrote: Hi Veiko, On Fri, Jun 16, 2017 at 01:41:14PM +0300, Veiko Kukk wrote: So I have more info on this now. Veiko, first, I'm assuming that your config was using "resolvers dns_resolvers" on

Re: [ANNOUNCE] haproxy-1.7.6

On Fri, Jun 16, 2017 at 07:49:16AM -0700, Kevin McArthur wrote: > Any chance of getting the SNI pass-through to verifyhost supported into the > next release? Bit of a security issue.. Unfortunately it cannot be backported since it doesn't exist at all in mainline. Someone has to figure out how to

Re: Possible regression in 1.6.12

Hi Aleks, On Fri, Jun 16, 2017 at 05:00:19PM +0200, Aleksandar Lazic wrote: > > I tested both with 1.7.5 and 1.7.6 and can confirm that 1.7.5 has same > > request timeout issues that 1.6.12 has, but 1.7.6 works properly. > > So a perfect reason to stay on 1.7 branch ;-) Yes but here it's not

Re: master-worker and seamless reload (bug)

On Fri, Jun 16, 2017 at 05:28:51PM +0200, Emmanuel Hocdet wrote: > Hi, > Hi Emmanuel, > i try to play with that, but i’m a little confused with the behaviour. > > In my test, i use alternatly haproxy upgrade and worker reload (via USR2) > > start with upgrade: > # /usr/sbin/haproxy -f

master-worker and seamless reload (bug)

Hi, i try to play with that, but i’m a little confused with the behaviour. In my test, i use alternatly haproxy upgrade and worker reload (via USR2) start with upgrade: # /usr/sbin/haproxy -f /var/lib/haproxy/ssl/ssl.cfg -p /var/run/haproxy_ssl.pid -D -W -n 131072 -L ssl_1 -x

Re: Possible regression in 1.6.12

Hi Veiko Kukk, Veiko Kukk wrote on 16.06.2017: > On 16/06/17 16:20, Willy Tarreau wrote: >> >> I'm just realizing that it's very similar to the bug that Fred fixed here : >> >> https://www.mail-archive.com/haproxy@formilux.org/msg26040.html >> >> Here it hanged on the unix socket but the

Re: [ANNOUNCE] haproxy-1.7.6

Any chance of getting the SNI pass-through to verifyhost supported into the next release? Bit of a security issue.. -- Kevin On 2017-06-16 6:31 AM, William Lallemand wrote: Hi, HAProxy 1.7.6 was released on 2017/06/16. It added 37 new commits after version 1.7.5. As you may know, I'm now

Re: SD Termination state after upgrade from 1.5.12 to 1.7.3

Le 16/06/2017 à 13:29, Juan Pablo Mora a écrit : Linux version: Red Hat Enterprise Linux Server release 5.11 (Tikanga) Linux dpoweb08 2.6.18-417.el5 #1 SMP Sat Nov 19 14:54:59 EST 2016 x86_64 x86_64 x86_64 GNU/Linux HAProxy versión: 1.7.5 Summary: After upgrading to HAProxy 1.7.5,

Re: Logging SSL pre-master-key

Hi Patrick, On Mon, Jun 12, 2017 at 07:31:36PM -0400, Patrick Hemmer wrote: > I patched my haproxy to add a ssl_fc_session_key fetch, and with the > value I was able to decrypt my test sessions encrypted with > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. > > Since the implementation was fairly easy,

[ANNOUNCE] haproxy-1.7.6

Hi, HAProxy 1.7.6 was released on 2017/06/16. It added 37 new commits after version 1.7.5. As you may know, I'm now part of the stable release team of HAProxy along with Willy and Cyril. This is my first stable release which fixes a few major bugs: - Olivier fixed a hang reported on FreeBSD.

Re: Possible regression in 1.6.12

On Fri, Jun 16, 2017 at 03:10:56PM +0200, Willy Tarreau wrote: > Hi Veiko, > > On Fri, Jun 16, 2017 at 01:41:14PM +0300, Veiko Kukk wrote: > > > So I have more info on this now. Veiko, first, I'm assuming that your > > > config > > > was using "resolvers dns_resolvers" on the "server" line,

Re: Possible regression in 1.6.12

Hi Veiko, On Fri, Jun 16, 2017 at 01:41:14PM +0300, Veiko Kukk wrote: > > So I have more info on this now. Veiko, first, I'm assuming that your config > > was using "resolvers dns_resolvers" on the "server" line, otherwise > > resolvers > > are not used. > > My real world configs use resolvers,

Re: Possible regression in 1.6.12

Hi, Willy On 16/06/17 12:15, Willy Tarreau wrote: So I have more info on this now. Veiko, first, I'm assuming that your config was using "resolvers dns_resolvers" on the "server" line, otherwise resolvers are not used. My real world configs use resolvers, but timeouts happen even when

Re: Possible regression in 1.6.12

On Fri, Jun 16, 2017 at 11:43:39AM +0200, Baptiste wrote: > Guys, > > I'll be able to have a look at this issue on Monday. > > I quickly read the thread, and I feel it simply look like a configuration > issue. > Could you confirm what is the status of it? At this point I think so as well, we'll

Re: Possible regression in 1.6.12

Guys, I'll be able to have a look at this issue on Monday. I quickly read the thread, and I feel it simply look like a configuration issue. Could you confirm what is the status of it? Baptiste

Re: Logging SSL pre-master-key

Hi Patrick, Lukas > Le 13 juin 2017 à 19:26, Lukas Tribus a écrit : > > Hi Patrick, > > > Am 13.06.2017 um 01:31 schrieb Patrick Hemmer: >> >> >> On 2017/6/12 15:14, Lukas Tribus wrote: >>> Hello, >>> >>> >>> Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: Would we be

Re: Possible regression in 1.6.12

Hi guys, On Thu, Jun 15, 2017 at 11:41:43AM +0200, Willy Tarreau wrote: > On Thu, Jun 15, 2017 at 11:54:25AM +0300, Veiko Kukk wrote: > > On 14/06/17 17:37, Willy Tarreau wrote: > > > > > > Could you try to revert the attached patch which was backported to 1.6 > > > to fix an issue where nbproc

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

> Le 15 juin 2017 à 16:42, Simos Xenitellis a > écrit : > > On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet wrote: >> In haproxy 1.8dev, default certificate can now be optional. >> This patch allow that. >> > > Thanks Manu for looking into this.