Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2021-05-02 18:35:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new.1947 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Sun May 2 18:35:18 2021 rev:102 rq:889644 version:2.3.10+git0.4764f0e4e Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2021-04-06 17:30:52.555198029 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new.1947/haproxy.changes 2021-05-02 18:35:30.817101828 +0200 @@ -1,0 +2,41 @@ +Fri Apr 23 20:35:49 UTC 2021 - [email protected] + +- Update to version 2.3.10+git0.4764f0e4e: + * [RELEASE] Released version 2.3.10 + * BUG/MEDIUM: peers: re-work refcnt on table to protect against flush + * BUG/MEDIUM: peers: re-work connection to new process during reload. + * BUG/MINOR: peers: remove useless table check if initial resync is finished + * BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data + * BUG/MINOR: mworker: don't use oldpids[] anymore for reload + * BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases + * BUG/MEDIUM: config: fix cpu-map notation with both process and threads + * BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames + * BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers + * BUG/MINOR: server: free srv.lb_nodes in free_server + * BUG/MINOR: mux-h1: Release idle server H1 connection if data are received + * BUG/MINOR: logs: Report the true number of retries if there was no connection + * BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function + * BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded + * BUG/MINOR: ssl-samples: Fix ssl_bc_* samples when called from a health-check + * MINOR: connection: Make bc_http_major compatible with tcp-checks + * BUG/MINOR: connection: Fix fc_http_major and bc_http_major for TCP connections + * MINOR: logs: Add support of checks as session origin to format lf strings + * BUG/MINOR: checks: Set missing id to the dummy checks frontend + * BUG/MEDIUM: threads: Ignore current thread to end its harmless period + * DOC: ssl: Certificate hot update only works on fronted certificates + * BUG/MEDIUM: sample: Fix adjusting size in field converter + * MINOR: No longer rely on deprecated sample fetches for predefined ACLs + * DOC: clarify that compression works for HTTP/2 + * BUG/MINOR: tools: fix parsing "us" unit for timers + * CONTRIB: halog: fix issue with array of type char + * REGTESTS: ssl: mark set_ssl_cert_bundle.vtc as broken + * DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options + * REGTESTS: ssl: "set ssl cert" and multi-certificates bundle + * BUG/MINOR: ssl: Add missing free on SSL_CTX in ckch_inst_free + * BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields + * BUG/MINOR: ssl: Prevent removal of crt-list line if the instance is a default one + * BUG/MINOR: ssl: Fix update of default certificate + * BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS + * BUG/MINOR: tcp: fix silent-drop workaround for IPv6 + +------------------------------------------------------------------- Old: ---- haproxy-2.3.9+git1.afb63bc04.tar.gz New: ---- haproxy-2.3.10+git0.4764f0e4e.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.KUyApt/_old 2021-05-02 18:35:31.397099355 +0200 +++ /var/tmp/diff_new_pack.KUyApt/_new 2021-05-02 18:35:31.401099339 +0200 @@ -53,7 +53,7 @@ %endif Name: haproxy -Version: 2.3.9+git1.afb63bc04 +Version: 2.3.10+git0.4764f0e4e Release: 0 # # ++++++ _service ++++++ --- /var/tmp/diff_new_pack.KUyApt/_old 2021-05-02 18:35:31.437099185 +0200 +++ /var/tmp/diff_new_pack.KUyApt/_new 2021-05-02 18:35:31.437099185 +0200 @@ -6,7 +6,7 @@ <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-replacement">\1</param> - <param name="revision">v2.3.9</param> + <param name="revision">v2.3.10</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.KUyApt/_old 2021-05-02 18:35:31.461099083 +0200 +++ /var/tmp/diff_new_pack.KUyApt/_new 2021-05-02 18:35:31.461099083 +0200 @@ -7,4 +7,4 @@ <param name="url">http://git.haproxy.org/git/haproxy-2.2.git</param> <param name="changesrevision">34b2b106689c8a017eb5726193b199ea96f2c9f7</param></service><service name="tar_scm"> <param name="url">http://git.haproxy.org/git/haproxy-2.3.git</param> - <param name="changesrevision">afb63bc040ab53db7520eaef49b79970d2b636d9</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">4764f0e4eac1a823331f59e2a2c68e96e303a112</param></service></servicedata> \ No newline at end of file ++++++ haproxy-2.3.9+git1.afb63bc04.tar.gz -> haproxy-2.3.10+git0.4764f0e4e.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/CHANGELOG new/haproxy-2.3.10+git0.4764f0e4e/CHANGELOG --- old/haproxy-2.3.9+git1.afb63bc04/CHANGELOG 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/CHANGELOG 2021-04-23 18:51:30.000000000 +0200 @@ -1,6 +1,44 @@ ChangeLog : =========== +2021/04/23 : 2.3.10 + - BUILD: backend: fix build breakage in idle conn locking fix + - BUG/MINOR: tcp: fix silent-drop workaround for IPv6 + - BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS + - BUG/MINOR: ssl: Fix update of default certificate + - BUG/MINOR: ssl: Prevent removal of crt-list line if the instance is a default one + - BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields + - BUG/MINOR: ssl: Add missing free on SSL_CTX in ckch_inst_free + - REGTESTS: ssl: "set ssl cert" and multi-certificates bundle + - DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options + - REGTESTS: ssl: mark set_ssl_cert_bundle.vtc as broken + - CONTRIB: halog: fix issue with array of type char + - BUG/MINOR: tools: fix parsing "us" unit for timers + - DOC: clarify that compression works for HTTP/2 + - MINOR: No longer rely on deprecated sample fetches for predefined ACLs + - BUG/MEDIUM: sample: Fix adjusting size in field converter + - DOC: ssl: Certificate hot update only works on fronted certificates + - BUG/MEDIUM: threads: Ignore current thread to end its harmless period + - BUG/MINOR: checks: Set missing id to the dummy checks frontend + - MINOR: logs: Add support of checks as session origin to format lf strings + - BUG/MINOR: connection: Fix fc_http_major and bc_http_major for TCP connections + - MINOR: connection: Make bc_http_major compatible with tcp-checks + - BUG/MINOR: ssl-samples: Fix ssl_bc_* samples when called from a health-check + - BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded + - BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function + - BUG/MINOR: logs: Report the true number of retries if there was no connection + - BUG/MINOR: mux-h1: Release idle server H1 connection if data are received + - BUG/MINOR: server: free srv.lb_nodes in free_server + - BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers + - BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames + - BUG/MEDIUM: config: fix cpu-map notation with both process and threads + - BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases + - BUG/MINOR: mworker: don't use oldpids[] anymore for reload + - BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data + - BUG/MINOR: peers: remove useless table check if initial resync is finished + - BUG/MEDIUM: peers: re-work connection to new process during reload. + - BUG/MEDIUM: peers: re-work refcnt on table to protect against flush + 2021/03/30 : 2.3.9 - BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent - MEDIUM: backend: use a trylock to grab a connection on high FD counts as well diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/VERDATE new/haproxy-2.3.10+git0.4764f0e4e/VERDATE --- old/haproxy-2.3.9+git1.afb63bc04/VERDATE 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/VERDATE 2021-04-23 18:51:30.000000000 +0200 @@ -1,2 +1,2 @@ $Format:%ci$ -2021/03/30 +2021/04/23 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/VERSION new/haproxy-2.3.10+git0.4764f0e4e/VERSION --- old/haproxy-2.3.9+git1.afb63bc04/VERSION 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/VERSION 2021-04-23 18:51:30.000000000 +0200 @@ -1 +1 @@ -2.3.9 +2.3.10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/contrib/debug/flags.c new/haproxy-2.3.10+git0.4764f0e4e/contrib/debug/flags.c --- old/haproxy-2.3.9+git1.afb63bc04/contrib/debug/flags.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/contrib/debug/flags.c 2021-04-23 18:51:30.000000000 +0200 @@ -441,7 +441,7 @@ /* stop at the end of the number and trim any C suffix like "UL" */ err = value; while (*err == '-' || *err == '+' || - (isalnum(*err) && toupper(*err) != 'U' && toupper(*err) != 'L')) + (isalnum((unsigned char)*err) && toupper((unsigned char)*err) != 'U' && toupper((unsigned char)*err) != 'L')) err++; if (err) *err = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/doc/configuration.txt new/haproxy-2.3.10+git0.4764f0e4e/doc/configuration.txt --- old/haproxy-2.3.9+git1.afb63bc04/doc/configuration.txt 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/doc/configuration.txt 2021-04-23 18:51:30.000000000 +0200 @@ -4,7 +4,7 @@ ---------------------- version 2.3 willy tarreau - 2021/03/30 + 2021/04/23 This document covers the configuration language as implemented in the version @@ -4084,7 +4084,7 @@ Compression is disabled when: * the request does not advertise a supported compression algorithm in the "Accept-Encoding" header - * the response message is not HTTP/1.1 + * the response message is not HTTP/1.1 or above * HTTP status code is not one of 200, 201, 202, or 203 * response contain neither a "Content-Length" header nor a "Transfer-Encoding" whose last value is "chunked" @@ -7837,6 +7837,9 @@ environment, as this might cause a security issue if headers reaching haproxy are under the control of the end-user. + Only IPv4 addresses are supported. "http-request add-header" or "http-request + set-header" rules may be used to work around this limitation. + This option may be specified either in the frontend or in the backend. If at least one of them uses it, the header will be added. Note that the backend's setting of the header subargument takes precedence over the frontend's if @@ -8632,6 +8635,9 @@ network will not cause an addition of this header. Most common uses are with private networks or 127.0.0.1. + Only IPv4 addresses are supported. "http-request add-header" or "http-request + set-header" rules may be used to work around this limitation. + This option may be specified either in the frontend or in the backend. If at least one of them uses it, the header will be added. Note that the backend's setting of the header subargument takes precedence over the frontend's if @@ -18873,29 +18879,29 @@ order to avoid confusion. Their equivalence is provided below. ACL name Equivalent to Usage ----------------+-----------------------------+--------------------------------- -FALSE always_false never match -HTTP req_proto_http match if protocol is valid HTTP -HTTP_1.0 req_ver 1.0 match HTTP version 1.0 -HTTP_1.1 req_ver 1.1 match HTTP version 1.1 -HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length -HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme -HTTP_URL_SLASH url_beg / match URL beginning with "/" -HTTP_URL_STAR url * match URL equal to "*" -LOCALHOST src 127.0.0.1/8 match connection from local host -METH_CONNECT method CONNECT match HTTP CONNECT method -METH_DELETE method DELETE match HTTP DELETE method -METH_GET method GET HEAD match HTTP GET or HEAD method -METH_HEAD method HEAD match HTTP HEAD method -METH_OPTIONS method OPTIONS match HTTP OPTIONS method -METH_POST method POST match HTTP POST method -METH_PUT method PUT match HTTP PUT method -METH_TRACE method TRACE match HTTP TRACE method -RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie -REQ_CONTENT req_len gt 0 match data in the request buffer -TRUE always_true always match -WAIT_END wait_end wait for end of content analysis ----------------+-----------------------------+--------------------------------- +---------------+----------------------------------+------------------------------------------------------ +FALSE always_false never match +HTTP req.proto_http match if request protocol is valid HTTP +HTTP_1.0 req.ver 1.0 match if HTTP request version is 1.0 +HTTP_1.1 req.ver 1.1 match if HTTP request version is 1.1 +HTTP_CONTENT req.hdr_val(content-length) gt 0 match an existing content-length in the HTTP request +HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme +HTTP_URL_SLASH url_beg / match URL beginning with "/" +HTTP_URL_STAR url * match URL equal to "*" +LOCALHOST src 127.0.0.1/8 match connection from local host +METH_CONNECT method CONNECT match HTTP CONNECT method +METH_DELETE method DELETE match HTTP DELETE method +METH_GET method GET HEAD match HTTP GET or HEAD method +METH_HEAD method HEAD match HTTP HEAD method +METH_OPTIONS method OPTIONS match HTTP OPTIONS method +METH_POST method POST match HTTP POST method +METH_PUT method PUT match HTTP PUT method +METH_TRACE method TRACE match HTTP TRACE method +RDP_COOKIE req.rdp_cookie_cnt gt 0 match presence of an RDP cookie in the request buffer +REQ_CONTENT req.len gt 0 match data in the request buffer +TRUE always_true always match +WAIT_END wait_end wait for end of content analysis +---------------+----------------------------------+------------------------------------------------------ 8. Logging diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/doc/management.txt new/haproxy-2.3.10+git0.4764f0e4e/doc/management.txt --- old/haproxy-2.3.9+git1.afb63bc04/doc/management.txt 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/doc/management.txt 2021-04-23 18:51:30.000000000 +0200 @@ -1868,6 +1868,8 @@ set ssl cert <filename> <payload> This command is part of a transaction system, the "commit ssl cert" and "abort ssl cert" commands could be required. + This whole transaction system works on any certificate displayed by the + "show ssl cert" command, that is only frontend certificates for now. If there is no on-going transaction, it will duplicate the certificate <filename> in memory to a temporary transaction, then update this transaction with the PEM file in the payload. If a transaction exists with diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/include/haproxy/ssl_ckch-t.h new/haproxy-2.3.10+git0.4764f0e4e/include/haproxy/ssl_ckch-t.h --- old/haproxy-2.3.9+git1.afb63bc04/include/haproxy/ssl_ckch-t.h 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/include/haproxy/ssl_ckch-t.h 2021-04-23 18:51:30.000000000 +0200 @@ -85,6 +85,7 @@ struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */ struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */ struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */ + SSL_CTX *ctx; /* pointer to the SSL context used by this instance */ unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */ /* space for more flag there */ struct list sni_ctx; /* list of sni_ctx using this ckch_inst */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/include/haproxy/stick_table-t.h new/haproxy-2.3.10+git0.4764f0e4e/include/haproxy/stick_table-t.h --- old/haproxy-2.3.9+git1.afb63bc04/include/haproxy/stick_table-t.h 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/include/haproxy/stick_table-t.h 2021-04-23 18:51:30.000000000 +0200 @@ -181,7 +181,8 @@ unsigned int localupdate; unsigned int commitupdate;/* used to identify the latest local updates pending for sync */ - unsigned int syncing; /* number of sync tasks watching this table now */ + unsigned int refcnt; /* number of local peer over all peers sections + attached to this table */ union { struct peers *p; /* sync peers */ char *name; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/include/haproxy/thread.h new/haproxy-2.3.10+git0.4764f0e4e/include/haproxy/thread.h --- old/haproxy-2.3.9+git1.afb63bc04/include/haproxy/thread.h 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/include/haproxy/thread.h 2021-04-23 18:51:30.000000000 +0200 @@ -265,7 +265,7 @@ { while (1) { HA_ATOMIC_AND(&threads_harmless_mask, ~tid_bit); - if (likely((threads_want_rdv_mask & all_threads_mask) == 0)) + if (likely((threads_want_rdv_mask & ~tid_bit) == 0)) break; thread_harmless_till_end(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert1-example.com.pem.ecdsa new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert1-example.com.pem.ecdsa --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert1-example.com.pem.ecdsa 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert1-example.com.pem.ecdsa 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIIBhzCCAQ2gAwIBAgIUWnUgbYQBOPUC1tc9NFqD2gjVBawwCgYIKoZIzj0EAwIw +FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjEwNDAyMTI0NzAyWhgPMjA1MTAz +MjYxMjQ3MDJaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAEWuf05jTK9E7VNfDVknHTdp7FHB+LNOMVPB/XBRiLmU/+/EzF0D+5 +t4APkwa4vSw3UckWUMoAxOrJ1dUk8T8Y5AxWGBomcuAQGtfmUlDBXvhUjsJ1s9Zz +iy6WyRkU/fcsoxowGDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD +AgNoADBlAjEAwDVLrc9jL2zx9byM1qGyHKnuk8xsEvZEkUPMor1hrTyqkLGIEu3h +1vyRvboYvGh6AjB45GdtABrNeRHI7QeA1ZX0j34dj7lYP0NvYjSVSyvRhpe/nzl7 +CzU2IkkQ4fmxosI= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCSlVR2c8kUsBYDAqrH +M60zwqNVVB0FGafWXBJBn4kgTKRQPCqmwkAJp+yd62Z05iKhZANiAARa5/TmNMr0 +TtU18NWScdN2nsUcH4s04xU8H9cFGIuZT/78TMXQP7m3gA+TBri9LDdRyRZQygDE +6snV1STxPxjkDFYYGiZy4BAa1+ZSUMFe+FSOwnWz1nOLLpbJGRT99yw= +-----END PRIVATE KEY----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert1-example.com.pem.rsa new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert1-example.com.pem.rsa --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert1-example.com.pem.rsa 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert1-example.com.pem.rsa 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,80 @@ +-----BEGIN CERTIFICATE----- +MIIE1jCCAr6gAwIBAgIUJUqgFv3XQuBU7FxDOYZDO/DZFPowDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjEwNDAyMTI0NzAzWhgPMjA1 +MTAzMjYxMjQ3MDNaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEA1Qyp+JCxptby6yTjlF6GKoSiYXMuTC15GqkQ +9cA5wExRvRj444ZDeltt4qFh50MQGaPL1Uq5pk2LxVhIMApn3aFv0vVXXLOpkcWL +tknYhcL7y1wZCGrYff0jJsi/en2YKbzdJ+avFlkrae7uhTmEwLcDRVhJpJYj0nj7 +7NIRZEzzvYxdNVVDkdNacZtJrtanTagse15OV7w6dniIjzyr7P5backq8EyQTWvg +hf56gx8r/JVoMZdxSd3EXcIXBnyDOU6KTiHu970DJmcz4oEaAlKFCehquNfGyVw5 ++jzUPyMP/IzvJZY68s3TjKYnJhoyu2GRf+SH2DBjYVL/I9ULK5G68Oqrjl3lZMM9 +NCjvLykBVAeQ2wYscCUChmLU9Vor1N5Z0EqZx9Wx/SBSPmlpTR4p1eoEmcrrZjUW +TjDBVk4F3cBrFrMEq0rr+aUSluPzpfYEv/tn1h0WTW/8PbSoQluf85i/BXnzmW1L +JplcembL1cbm0idJjzRvQx8/WGoSSIYHzWFgRhagvQ7xGf88pGGh0+n/K/xPXZ+Z +I1b89rLqs5pdBJtAgj7wd2oTxiKDILkpvwRBq9q2p7+yEnaIhWVQr3UudiSRcB8O +lEk8YHpa8wiKMksezCqs4zfdk3Wh1JEwgy1zYk+penzfvQGaySv5Q20P8V2ZK8i1 +HHnTRLUCAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcN +AQELBQADggIBAD6LkOmRDupXUyDmvA1PsZoNAnN6/ikZOzgcLoPbmPto2MAG16VD +VJF+2i4FddUJmuPSYkGoo+eEcIJ6pyifWm0f673dvHSn/Epgkyp+uOQcLnVGE5QK +cYk7ETlw9BQ/uRYi70hXLk8yi/XbBXIZdtICuxzEJrB+uE3tBK33Zy+KoDweifAV +vGNLDdhK2Slq0/ExaifeO2Agkz0Cb5nihsMnNlSiJPh+Qqhcyn0+o5hW80AozD3A +MZYVhiPtCfOoHYO02GpsPkYq1mfez79O+t5d3akLLPXEMO8iK4HUtlkYj84wP220 +fRct1E1apRCCfHORqnlPEYcinoEvlsl+c0olH6L2L3t4sDzWGHQoAzNQMSMAwdPr +NShvuWmKdYoPrTfdp73neP4jkzNMi2FR1SL7M/Mr272njrBrYLayVbb5Aogp9Myp +PrWohhrYaMCeCVLdtX0C8Ijjo+WhQjMJ5I7J2CCsRifhCnloD3nP3Cfd+obmGxTV +spGxTfQxn8BH/rqEkTKZgqz8McpMXJChzSe7JduGnv5E8nZH1UQBqbtgDP+JndI3 +5Ncs7GsU0JLfju4w3IaAjslOmu4TLS0MDSDJo5heo1U/OB/kqocbKcoP39mCiWPy +juW/VTheRaszG8tuPhXYovg9LXZX5HW7eWjgwm9kn9c4fu/3NY7PJbmO +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDVDKn4kLGm1vLr +JOOUXoYqhKJhcy5MLXkaqRD1wDnATFG9GPjjhkN6W23ioWHnQxAZo8vVSrmmTYvF +WEgwCmfdoW/S9Vdcs6mRxYu2SdiFwvvLXBkIath9/SMmyL96fZgpvN0n5q8WWStp +7u6FOYTAtwNFWEmkliPSePvs0hFkTPO9jF01VUOR01pxm0mu1qdNqCx7Xk5XvDp2 +eIiPPKvs/ltpySrwTJBNa+CF/nqDHyv8lWgxl3FJ3cRdwhcGfIM5TopOIe73vQMm +ZzPigRoCUoUJ6Gq418bJXDn6PNQ/Iw/8jO8lljryzdOMpicmGjK7YZF/5IfYMGNh +Uv8j1Qsrkbrw6quOXeVkwz00KO8vKQFUB5DbBixwJQKGYtT1WivU3lnQSpnH1bH9 +IFI+aWlNHinV6gSZyutmNRZOMMFWTgXdwGsWswSrSuv5pRKW4/Ol9gS/+2fWHRZN +b/w9tKhCW5/zmL8FefOZbUsmmVx6ZsvVxubSJ0mPNG9DHz9YahJIhgfNYWBGFqC9 +DvEZ/zykYaHT6f8r/E9dn5kjVvz2suqzml0Em0CCPvB3ahPGIoMguSm/BEGr2ran +v7ISdoiFZVCvdS52JJFwHw6USTxgelrzCIoySx7MKqzjN92TdaHUkTCDLXNiT6l6 +fN+9AZrJK/lDbQ/xXZkryLUcedNEtQIDAQABAoICAAfQoxt/E0UvdVGy1LZIkVtV +6i7w7q3UrTCRKxIYrwWixwzMsbSG5ErEt88sZE77YsfN/lggmZbEGXBvwJYii5TR +qyxt23qHDJ1QRcO2Cb8+W8Yl5rUsViyo8HUnv/5aRQ6i4unnyFxlgPYt0YoJhhkb +nX8ZsfnbmAzMa1FQk1q+h+JYF8MxEX1z50lrjNRhA1oR5S/RUcZeHTbjTP8UFqpm +2iuTOYP/CvwMDPxdTVkp948YW+4VxA4VmHJoADg4sQeVHfWnwQBNaqQp/Pk+Cxoy +tLacU+3b3GreezH2sUJvotJ8yPjz/c2SR0RNg/od0+aTuaabV3BSthKH3NwPoI0z +bfLkwrR5KyJobB399UN3aqg2s4toKNy+6l9x2dh+QimwDOivptvynEd9BIXd0ZCn +ohdE9b9j9eq0l36WX+u30JMyevjjumnZjKCh80Pf7MnTcqzggcWvoPYtjPqBj0ig +WvKwPCmV0TG8wN441mjObUXLa1mFlb8b+NM8k8gy5odkyRGm8ZOOxYlOWmtu/sNM +VBdjG3U6yONDf+TO+v7OVsOVs/IHFOX3RtpCt8wnFZfTxkxjqrk3E8O7RTXcrIny +Tgzmi0h0bSTahsKm/0roQNPK6XNw6S6CW9B2kPz2gBEIpjrEl+C8hmsiYEzNJ9kM +oLWlKEuwcMaXS1oazTqBAoIBAQD3S7icGxwTVypEKq7ZT4859UOtsdrqTKEFIVtf +z4IIwmlo65mfNA7/w2TSV8p/o3NH4yznkEnVzvYYNXKt316oZM2CqCoA3XjeFlO8 +hUoScVn1VV/66E6wTIbRUCMdBfyPVNQ12bTZ/rPpmSlatXfUGarVRlJ15DDS0TpV +s+ohxpT1IUnCx7N0z8cPbTFy2qguSbID6UydajXtM/h8up4866wg8nzT4PBssiqf +NzWgAA+XP7oigfncgqSuQ2zk8Bedbm+tE6bKgK3O6VfTDRIV2Kw89Kvt0OWQYpOD +F/CTarNdlp0kYmos/rC57AVSpdTNQm3944WFi1ts+aL74+b9AoIBAQDcjF0TnKr0 ++uSAFNHDIxf7LHnX+uOZ7cTs284hIHZJ4z/GgwHKimWeG4XZsOGPh9Lk5GGMyDBB +N9daaGYskoQ9qh0e3IyRbbzdcwUMV9xzulYzUg5OKoezpBlp8Ydd8Gp3/9SBQtTi +9jjLZ45Qea7/F/Kk1TebUvqGQa+c7HdeJ60/6121QPw7eFqJIOVqf47Tkaq3Wmpr +csfQulNwN4Gi+v2gp3iMR5q/agKCOtI56daheYyNgPxX+chjiqOqC5WElTxPihde +lKtYtKh3rnboKGUQ4fJOVFoV/wrfo5wfcYkPDB32Ct1B2hsI3oHbnPkBPgvCB0Xa +/HPrEqWP5W4ZAoIBACQgVbnIZBOXOj93FM/+RWgsIlTvlJGB3EwJkXWvtMlezVNc +h7awPjiy7LmlxZlb4W1xDJBPjdnEQENNG5G2/fcPss4RjwFNWWjoThdOSYHkOUYT +0M+wvD4ZD+DoGhkVVM4DkHTFdxwZj2Li0x3DQNwlW8WIXmeGjHNfyWvXuq5wejZN +RJ9F2TuJVwUz6HNk6gjJD05u+JhOec5LN1PRV2iC7URq6D1zsOvQI1XbFORo3d40 +mxaLclr6YuBqTTAsuuZuybW5FzaiEcIWaJQWZrv2SUMmYy98wuyS2gXeq3B9t/JG +HHLCRcyI8HxYtHZcb3gE6liasljOAO8skNjHdGkCggEBANF9dm/Jkc2vf1p17CWJ +8R6BSZ8wzf6JjlNaGjr3JcTbWdnK2Om1ef6rsAFudWKrplQK5uodwVBBpYpXvi26 +YmhcbNrCrbb54LsMpQ/raRh4N6b522K+HTYyun0akfVWBxvC4uyBOcv4C0ySKekh +HGtsKOwPJ4mfUR4zyIarSlsiHvunKtSfTLeEg6Lbn28AiP9HzzvoY0t6tHf8dIMU +Bkx0UnPGf8fnwALvxEBFdSjTiC7LUQmcKpW6SnDa4MkFxdkxFB+NUNNjLjrNJ3S/ +QG0W6aEWrd1fXE6meoKhWwu3AXRMky0Bdtc1QBa1m+2p9hALCoob9Guk/sqcZK0B +RgkCggEAHjEa/4q05VPbMm7TOgF2m5QTdap47LyTBti9TRurGtB/9nWvIHpM9sAy +0xVvGcoZOqVHYvRZGpZ8IX4B+9FGMNUDBMc8shj3oA514tCZVPCEolnHcuwERiZD +c5zh2PccktAmT5EXGch0+eRuxJ1ROKgR0coeo8KMOxtrm0hRFTznsJ0nzNjAoCA4 +zW6DVY7qIb9ksI44rWlgGSwXG1OuUpqH8+tBAvR3uNa/j59psBb7Pu5zmg/qhx1m +Ljd/0JTxE8A00l0bC8S1F15wGn8GQD63pjq8nr/biI0Y39g3TEAffkI33FfCjBxQ +gO96WUZwPEimQAnu4Jw+RlpLtWjOBg== +-----END PRIVATE KEY----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert2-example.com.pem.ecdsa new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert2-example.com.pem.ecdsa --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert2-example.com.pem.ecdsa 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert2-example.com.pem.ecdsa 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIIBhzCCAQ2gAwIBAgIUJ2zhyUgHjXsPzANqN5ZSHX0RVHYwCgYIKoZIzj0EAwIw +FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjEwNDAyMTI0ODMxWhgPMjA1MTAz +MjYxMjQ4MzFaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAEx1lz/PGGGGI9EG5L7qx8JGwt15HNuJI9SsdwzkRV/N8sBFzAEVbS +UWVthQ8tIAdW1y7d9fwkHrzkPulDVwZGGr3qrnZSAgb7NCxBICxgdDI7ku3oPdNd +bsSASmhJrQO4oxowGDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD +AgNoADBlAjEAnHx8jSzldb5z4FR3oZ3twWCzRR98n1IBuBi5fe6hhBlQF5u0iAyb +oDcZ2Tx9UfWhAjB/DKDFrlXAkow4rQxHU602c9SI6hJTCKxIfWWoBYP7zqZXEUjj +2QK7BQb3sHNpsqY= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDsiqzn+NewEL5bc3CA +sY4ADwk42yQJCPZalIct5i4e5u660YCUMHqbVAUQe2R6YFyhZANiAATHWXP88YYY +Yj0QbkvurHwkbC3Xkc24kj1Kx3DORFX83ywEXMARVtJRZW2FDy0gB1bXLt31/CQe +vOQ+6UNXBkYavequdlICBvs0LEEgLGB0MjuS7eg9011uxIBKaEmtA7g= +-----END PRIVATE KEY----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert2-example.com.pem.rsa new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert2-example.com.pem.rsa --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/cert2-example.com.pem.rsa 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/cert2-example.com.pem.rsa 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,80 @@ +-----BEGIN CERTIFICATE----- +MIIE1jCCAr6gAwIBAgIUCMeB9uw+PcBIqW8cDI21s7SxWVYwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjEwNDAyMTI0ODMyWhgPMjA1 +MTAzMjYxMjQ4MzJaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAzt3oEBc1jWk2PaN/tJA/PTTdwfi6ZXqXCrCA +ZScmo1jvM3CcoOM1BUhiMcoeK4uHRryYUO/eL/ZM5OA11GAIaMevhK65rtBYIh2Q +klRH+IojmRL91U9tXno+oMBS8WwF7K6eCCj4XUTAKuolQ4yiFHTvdwOsqSrVY3m/ +m2Pp4VTqjDSsljmv8GJ0lQpxan5bZt6WWQiCIbdS7ExgJIALDemg+JOIz/bDmCr/ +3tihmHOK94lCcV/CFOs2XctVnkS6W8x/S4U41Y/eciUbLWr5CxAvfZLOQBuriWiU +SMHPJI63VPijGKStnBn/zRMvDJhaadkRqAqXlJUZ7nkcZ5WlPuIMgAOc2uCZioW8 +DvyJmplBjBBQdGqRFaeX2lDvJwDECDxSHglfQgVVz3II3ZMSlDsystu4MCgeFa0e +S0UCvl+5mK1/QVzkzxYj1o9iXhtq5VSLmbaAssDcn20ashJMxmruagsOR4MhaKA0 +RsMosrAiCbcBiY/Q8W6NoOwxNUC8agsqDRNSoJfQgYhTJXqxbnteyy3TXtF4zW+S +7D0ZsRXM+u2z6V7lP8rvS8ZwzI7nDA/hH34IIw4H875IESLA/8ZiMA3luzMNxwWr +xCn58JCJM0lJmgkO+NvKctGAGxgtdKzgHemzczx6GuA3V5mOOD01KUbMpZITN4lP +vAt++qkCAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcN +AQELBQADggIBAMc0Z6hDp5VuihQ1LpmfisQtrs0F5SpfxlbCshg9MOrgRGwViRBM +bCw1UhDZPT7sQ47JucUkw4RguJTsNQO6Iacq04EKSfHmbxznlZ9eBpAMdK8vWLQH +jrpmNVE6At3kuyFJrXEc4BOrvzwDqcbG8cFFwT+l9C5BGSZCG/muLPuW3S36IY7i +uVGc4MqrOQLRghyZbjkXrReGzBZVbuCiz9O+zsjorEzt58gdwIhrl8WyHTJ/Nqy7 +ibfFDh+tJxdNkipa0PZEqovMUcMG1N1E+n4nl6QooUsIx8JmeL5OD4J15ZuvrK3A +emggxAMs+rkooocc8SL8i0C7l1m74qRKCP/dhIw8R8XiSKaSU5PQxlmY62qHJNkh +RIkwvv+VcGdUzC74eEPUagKABzYARXBC2410E8vekxVYAZ3U31ypB+/3nWBJOqH0 +P//I1ZKwYLQCuC02O2Uy44kwZsZ1Syh2BYJxjdIeg5oMVnrDhi9kYnMtDmtzLsnC +kP/cMKX7NZ7d/qbF6Aa9vVE/Ta/OrLxETF8CrjSa/nDLdLpm9sDC26/aqZv5L554 +xeSKVxvZyRFtObSKW1qzK40RMkWUarh72urtd9aM1t5PHOnwY77jO/yemjxfhgvp +jUKM0pxIe7EmNqoEay+zdN58x8VPDtLFNehorGUnUGkaS57BFBjpEUvY +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDO3egQFzWNaTY9 +o3+0kD89NN3B+LplepcKsIBlJyajWO8zcJyg4zUFSGIxyh4ri4dGvJhQ794v9kzk +4DXUYAhox6+Errmu0FgiHZCSVEf4iiOZEv3VT21eej6gwFLxbAXsrp4IKPhdRMAq +6iVDjKIUdO93A6ypKtVjeb+bY+nhVOqMNKyWOa/wYnSVCnFqfltm3pZZCIIht1Ls +TGAkgAsN6aD4k4jP9sOYKv/e2KGYc4r3iUJxX8IU6zZdy1WeRLpbzH9LhTjVj95y +JRstavkLEC99ks5AG6uJaJRIwc8kjrdU+KMYpK2cGf/NEy8MmFpp2RGoCpeUlRnu +eRxnlaU+4gyAA5za4JmKhbwO/ImamUGMEFB0apEVp5faUO8nAMQIPFIeCV9CBVXP +cgjdkxKUOzKy27gwKB4VrR5LRQK+X7mYrX9BXOTPFiPWj2JeG2rlVIuZtoCywNyf +bRqyEkzGau5qCw5HgyFooDRGwyiysCIJtwGJj9Dxbo2g7DE1QLxqCyoNE1Kgl9CB +iFMlerFue17LLdNe0XjNb5LsPRmxFcz67bPpXuU/yu9LxnDMjucMD+EffggjDgfz +vkgRIsD/xmIwDeW7Mw3HBavEKfnwkIkzSUmaCQ7428py0YAbGC10rOAd6bNzPHoa +4DdXmY44PTUpRsylkhM3iU+8C376qQIDAQABAoICAEQ6PiKodPop3EDiHul/tcvL +FuS100xK7WwSIJa8Hes8FtCBcLdDmKYgZHqFbgPwpfI3m4j+Q+rPsja+mCJudfeQ +/JunQQieIKNH2vnYIFChxvHiqKNk6e6CJQvBwtlrRlz0jpykXp3sYfEFfrrTtFVI +5/350UWOIgkIC6EFiArQhfcuHEoDxrpizo6lfhigiibYfP/qZXkXTJsw6XjAXmT9 +TCEQD8x/V61laTSngEyWtxvDQo3ABnP9y9WNjbSAeHJ0dPuEeeU96SD+igMlx/PV +J8Sj2bCdL6tHObjxaw9knqTAyJIFJllY3dxWWmsuCIvmkwM4UxwnPQFBIpQrb+9A +rguNl+t31zljmToDIEF97G/QcbFqMQEKeNCkwIdtD/8tND7RrchcqQPc96rdHbB7 +Hfb/ZXqCSsYNahurEmeAUZJkLO9U6/0GbWHcxkHBTkrmUs2qV4LrhWP71tKpbNY7 +mGXK6Ok6ZfkAD4uau1oQkndqdlKg/rBOjcT+HGPtxWL9gPtG7om+O9mu++BngrGr +oyNgujkVRN0fpJhKLhsT6OiZF+7CVQo4ZIw9dBQ2hzLNw5tKgW36GAVTfFxNRTje +SerlyEog/P3s1tnDn7BngdVOdnDfiOi1O4TEb4btwqP3BSs2p0wJKaJGoClFFuwN +n5dtHMABtSOKPbmWurbtAoIBAQDqPmZjSLfEwSXph33m7Ms2/AbQJltzU0ftRJU9 +TQGVHBajouupVcyrZ+WiWcltLov+JNlseXG/PsIWEmqSiLodIZJyjWSDUiC5iFEM +fn2d9X4NLz0A508pFR5FQnULFEDMDryLn+4ta8Bf5NeL2p/ZavKh9rxX/8LAanse +6Lst59RiiRMkazkjC4DHDmqUAZBt+uQVaHVFpTBJLa1k1nIc82GjsJwWsbADL3+o +PKiggSir/Uf3nOOPhXsegVTZBiq9DNFciCa+kqT4eluUopjWxIuOKnp5mVh2DnTr +NXyZ6jDb2JwjcJpy6HLk9EsqY1YuMpT+OCNnLM3l2Gxp/KovAoIBAQDiFJEh/LHl +++7Z4TE0whMdjkFdSCuPyEnU4WFRKLMTPQRCdS+5GxHDy4lzpArde+51C6UkAjxe +jaAGzQvabKBl4Al6eFpYvv0d8CQMWIrOffzVMRXuHWgm/SBg7um6ok0rM4/BOdUr +CN2nWvBF02ZTSsGzzBmzTo4vMkcAQOiGes0Haefxm0DiVvoElL20Fv/iuEzbf60p +W/0TzeiOBar8WxpTTcnHc6QWQ2t/Zon3/5E1LIOEU2/GQiS6zqNBRGr+kfWtz2wB +d1IFLXITiqAQb+F3EjKqGS8ln0JYLSLRk3ALbb0EtN59lYwrabUYq9WzA1MlprLp +GFqzAHNPc+qnAoIBAFg4DAOUXXGCdK7Q0n/n6ljY7g/ygjqawNoBHFur5s6rd3NF +Zo+tuplLVdahDhVKlHqwkhoiWs516k65vN1XFRDnleoCijpS8fQt/KhB8zlMPZ7l +jYoLk2qbg3z+HGqBxC2V1ziWkPMWQ6tZ2jvXqKAPgTWyYRibQFOLRrdLW0NcrkY1 +7bmnkCs8p9FQAp+fPy/Mb54IazJBlj/ZLhZuFSgGGV22o/KAFRP+DYvk3HUmb5Tm +nPYKZkGlOcsxVi0t/2aXrzm0JTNcszjJjDgcTIeGGjD+moW1VPWRWENFL5of8yq5 +F4TZYbGpDaxgvPZH1ysq7aYYqmyvGRRZP+titw0CggEAaPoB1hU/Cbps0xDEx2mi +dKPcaBMd3xqyZb3tcUEDvdgkRTOi4EHYguDcxyyRuvxT4ldw7AJ5w7Hhb6cAbQDp +jcR0wkBmOzUb1S3vnyfx9CX+I4QyWamf9hKtWTU2pGm+iWPcyW0wNVZdjdslHFcn ++V8KCJGqEV9VmEaxP0XkcqVM1LdxcveTLkYSu9PRLnFLihvn3Dgx0LWdEvgWlvO8 +zIcE9090dT+WHpxZqwOS5uvtohI0U1pm2VlXMsLGfYTmZaSivn1E+n1MQYkzoi1J +W7iHqcFycxdUlBSaOtViiIv8h+IB1dCiSxAI0RO5emY3yXKuxhnck22yl9GKuYbq +mwKCAQA25h2vjVD9x1Yci/qWnKnchjVlTkKWb0D404fhibJpSXHtFOYiE8YXsBBS +zLYDeDXFagl+AorvG45SoodJGl1/uqGbZMPBs0Yh211nBVtR5W+8vHLPEbw/Qvl/ +AXSmwnVT+K3oeJRxUBIlOLQcDtXcFGBhF3CbbjKU7+9gRdj0oq+O4DZXZVnJPeI4 +Rf42bfQYXub1bB+kH4WwkuLYItrzv4vLgS7kO6Z1GXz7mIBZi7zlUI7Wl5pWg1fq +H5X6u6V6N2LKS7Sqwa7ihL1ScUMhfmcPE362FyxqwkSMWOx3F/L812MKCgwVoil6 +yupxw0d9CircRDDG93pWn3WxCHpV +-----END PRIVATE KEY----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/del_ssl_crt-list.vtc new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/del_ssl_crt-list.vtc --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/del_ssl_crt-list.vtc 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/del_ssl_crt-list.vtc 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,104 @@ +#REGTEST_TYPE=devel + +# This reg-test uses the "del ssl crt-list" command to remove a line from a crt-list. + +# It performs three requests towards a frontend that uses simple.crt-list. +# Between the second and third requests, a line is deleted from the crt-list, +# which makes the third request fail since it would have used the deleted line +# and the strict-sni option is enabled on the frontend. +# Another test is performed as well. A line corresponding to the default instance +# of a frontend that does not have the strict-sni option enabled cannot be deleted. + +varnishtest "Test the 'del ssl crt-list' feature of the CLI" +#REQUIRE_VERSION=2.2 +#REQUIRE_OPTIONS=OPENSSL +feature ignore_unknown_macro + +server s1 -repeat 2 { + rxreq + txresp +} -start + +haproxy h1 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-cipherlist-size 1 + crt-base ${testdir} + stats socket "${tmpdir}/h1/stats" level admin + + defaults + mode http + option httplog + ${no-htx} option http-use-htx + log stderr local0 debug err + option logasap + timeout connect 100ms + timeout client 1s + timeout server 1s + + + listen clear-lst + bind "fd@${clearlst}" + balance roundrobin + http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex] + server s1 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld) + server s2 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record3.bug940.domain.tld) + server s3 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld) + + listen first-ssl-fe + mode http + ${no-htx} option http-use-htx + bind "${tmpdir}/first-ssl.sock" ssl strict-sni crt-list ${testdir}/simple.crt-list + server s1 ${s1_addr}:${s1_port} + + listen second-ssl-fe + mode http + ${no-htx} option http-use-htx + bind "${tmpdir}/second-ssl.sock" ssl crt-list ${testdir}/localhost.crt-list + server s1 ${s1_addr}:${s1_port} +} -start + +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6" + expect resp.status == 200 +} -run + +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" + expect resp.status == 200 +} -run + +haproxy h1 -cli { + send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:2" + expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!" +} + +haproxy h1 -cli { + send "show ssl crt-list -n ${testdir}/simple.crt-list" + expect !~ "common.pem:2" +} + +# This connection should fail since the corresponding line was deleted from the crt-list +# and the strict-sni option is enabled. +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 503 +} -run + +# We should not be able to delete the crt-list's first line since it is the +# default certificate of this bind line and the strict-sni option is not enabled. +haproxy h1 -cli { + send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1" + expect ~ "Can't delete the entry: certificate '${testdir}/common.pem' cannot be deleted, it is used as default certificate by the following frontends:" +} + +# We should be able to delete any line of the crt-list since the strict-sni option is enabled. +haproxy h1 -cli { + send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:1" + expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!" +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_default_cert.crt-list new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_default_cert.crt-list --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_default_cert.crt-list 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_default_cert.crt-list 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,2 @@ +set_default_cert.pem !* +set_default_cert.pem www.test1.com diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_default_cert.pem new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_default_cert.pem --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_default_cert.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_default_cert.pem 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,52 @@ +-----BEGIN CERTIFICATE----- +MIIENjCCAh4CAQEwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCRlIxDjAMBgNV +BAgMBVBhcmlzMQ4wDAYDVQQHDAVQYXJpczEVMBMGA1UECgwMSEFQcm94eSBUZWNo +MRUwEwYDVQQDDAxIQVByb3h5IFRlY2gwHhcNMjEwMzAyMTcxODUwWhcNMjIwMzAy +MTcxODUwWjBnMQswCQYDVQQGEwJGUjETMBEGA1UECAwKU29tZS1TdGF0ZTEOMAwG +A1UEBwwFUGFyaXMxHTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVzMRQwEgYD +VQQDDAsqLnRlc3QxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +APjmyWLJ1olKg/EOarln7oQB7pdUrF6kS1YG+Nz0sgFzxnU0PHn/IeARCprHyEZ4 +eBOrQ0CHhM5hdEFDX8iq32rektcQqwfH83iwD9zXxFBJ7ItoWG6YAN6WLXjEDYEI +hxLJMlW3kfYODKhNMvoqXyZi2wTyAJI+aLJI7pbeD+YNb0AwOnSH5ag5ohZIr3QU +99UD/VUhndv4OP8JZwBiV6Qy79jVDVbPFGaOc70VkMQSCHytyudQicUZrYQdIw1E +981JF/UpbnECLWyB3V+4t1KtWOW90vkUoBEj8Nxe6kYnMaNSjQhfKSF6zGmUOXYp +oHPCgms8v4JaovQygo02Qi8CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAAz8IntYc +zrbIqweHfD9CZTNIQiobhQmgykT0KQ23Gm2y/e3o63XOqxDv0bEctg4zE83w3g7d +mJlEyCB0N0qC8UGGsbRm5Cny7H//g3u06NqSMBYbdU+BgZBBj16I5Kcw/kSBb9dA +wslLlrUjBj6dK83EB1cpyqpyZHIXkR/E424ggfc45rmD60AtU0SvzVNZfIK0PmB0 +3YKiUlO7cl5CzTeTg2BooRvqwblya62SRkhfFL7NCRX1/S9tO/XiaYzgP7J6J09x +yYs2XhQqJFgtS+1vDp8rHKhcANFVXBJ6rDSbp1qBv7qZkQhlFf8hQtd5iBXvCb0a +KtN9L4o6t1wvyo0BbERroGU7rkPPUNiMc3gWEf/mgwGLsNNOYqY5eYoeAF7arX5f +c4LCHiAYMWa/bEY29zmm51GH5ddxFSu1j95Hfd+HlNcX8Oyfed2oCoSamochmbzA +Kktk0QfCYIv4LlaG5pUliLa6DCLK7yMfT5RC5GGb350p3uDobVj/taY2cVwXOBQb +MjXK32K9CFrnqKQptPV1ohlWgNiqhvxiGp3Yx17Cn54WL9ksO+8TlwWAttazKVlT +40tHqGOu6ld90xGZitxL2oA9kBg9Nkxas/f9+9p6sJe5wj09dj/cqRjyiKv7nek1 +TIPtsNbJghDRDQ3uPEYHdX0h490qGMyGARw= +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEA+ObJYsnWiUqD8Q5quWfuhAHul1SsXqRLVgb43PSyAXPGdTQ8 +ef8h4BEKmsfIRnh4E6tDQIeEzmF0QUNfyKrfat6S1xCrB8fzeLAP3NfEUEnsi2hY +bpgA3pYteMQNgQiHEskyVbeR9g4MqE0y+ipfJmLbBPIAkj5oskjult4P5g1vQDA6 +dIflqDmiFkivdBT31QP9VSGd2/g4/wlnAGJXpDLv2NUNVs8UZo5zvRWQxBIIfK3K +51CJxRmthB0jDUT3zUkX9SlucQItbIHdX7i3Uq1Y5b3S+RSgESPw3F7qRicxo1KN +CF8pIXrMaZQ5dimgc8KCazy/glqi9DKCjTZCLwIDAQABAoIBAQC/arWb7L+56/2W +iFDZb62GBfpYlXzOeCmb6la/jsvKxB/vCRItfGGv8Usnh9dlIsat0bsxyEcBdP80 +Jb1nFMonZS6miSIPJN4Ahd5dJ+7JFGD/QWso+mtIw1QLGTONdWJztxmnxDpTcbCY +Sm6W57kvSz1HC1oXHjnkSqR6kCLH9y6/i7ox6IPYyDA1t/TKJMnKFOPkxKJ8A96v +1avPrCWfXWYdn6Og5ERd8FJF2L5BYImmmkPpoUeWPyMBfAYqdK5FRijO6JMn/h5k +XkJm+2bru+cRwcNYUNPuDIa+ZBWhjFfZfSOhOoECeKLe+lhfcFPC7cCSeDJAjGtR +dakm15ohAoGBAP4+rVBeSCBhPH27T3HWp74qMWkYJzkdqTV0wUUJ1wtuWZFDg/RP +OYKC+6cM0nW3K+j/9pTWMS1eM61x/VNyFQGUq/rMJGEWFH08NXnV8AxCtwKUV/rP +Uq3MB4QWfSYGMo9QL+9lu23fMWYpBLo+KIcqPjLb+8FEJGmaC9JCIYQfAoGBAPqe +qp7NzMmX2b1VR2XXm1CZzwTEFXb4NeDIxSfNbsqXCmws3jgBX3Lx7dQ9k8ymvaA5 +ucYLU3ppozeB//8Ir9lSA1A4w3VN9a+l1ZdQpKQ4SuHtqDwkmKAT85vmGHCPhwlq +Er9ests3wQ4T/8HPG92QWs+Gg34F+x9U6h2FMv/xAoGBAOM6h1HWAeaWoSbKWvWm +YKNQOHryMFQW011IbVfTtJOt23U9/1hB2mdvw5SInCzDOgZzhiF90dP3Zn5063FB ++84+3vo2q6jtwAAx6KVsdK+wjLpMdNlfpEhamrkOFGoAjf2SMFVo+fv3x8HDlUsT +NMuhEJgKDlasHVMYb8pKeoQHAoGBAMAF7ij6+lvD03tz6d6oUkJxduLp8qBTEcUH +T7hteOQU0lGMFz/GHYIOx/EEtUfqwgQP9r09VFrIsdwH6UNZPpM+eXdv5qLsdsB8 +SalEisGguA9fbrWWPLL6Vn8uz67+6bJW6cJjJps8ntjQjffLXkhnII09PWbD4mNh +RngT5L2hAoGBANqa+yYSvEGNAxvdfxE0u3U/4OtjCl168nNwHXmyaCKZ1e4XYflz +wGI4J1ngcCKN37RkCgfu/XRKrc82XhAhV+YYjAUqQYrTyh26b4v9Dp9tBUWiv7bk +6L+ZlCms+HpsuYmsCAu/od41OWSSpdg+R3VOE0t3rp0r1QdAGYd1nwQC +-----END RSA PRIVATE KEY----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_ssl_cert.vtc new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_ssl_cert.vtc --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_ssl_cert.vtc 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_ssl_cert.vtc 2021-04-23 18:51:30.000000000 +0200 @@ -3,11 +3,19 @@ # This reg-test uses the "set ssl cert" command to update a certificate over the CLI. # It requires socat to upload the certificate # -# this check does 3 requests, the first one will use "www.test1.com" as SNI, +# This check has two separate parts. +# In the first part, there are 3 requests, the first one will use "www.test1.com" as SNI, # the second one with the same but that must fail and the third one will use # "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2 # chained listen section. # +# In the second part, we check the update of a default certificate in a crt-list. +# This corresponds to a bug raised in https://github.com/haproxy/haproxy/issues/1143. +# A certificate is used as default certificate as well as regular one, and during the update +# the default certificate would not be properly updated if the default instance did not have +# any SNI. The test consists in checking that the used certificate is the right one after +# updating it via a "set ssl cert" call. +# # If this test does not work anymore: # - Check that you have socat @@ -17,7 +25,7 @@ #REQUIRE_BINARIES=socat feature ignore_unknown_macro -server s1 -repeat 3 { +server s1 -repeat 9 { rxreq txresp } -start @@ -27,6 +35,7 @@ tune.ssl.default-dh-param 2048 tune.ssl.capture-cipherlist-size 1 stats socket "${tmpdir}/h1/stats" level admin + crt-base ${testdir} defaults mode http @@ -41,15 +50,30 @@ listen clear-lst bind "fd@${clearlst}" balance roundrobin + + http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex] + retries 0 # 2nd SSL connection must fail so skip the retry server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com) server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com) server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost) + server s4 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com) + server s5 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate + server s6 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com) + server s7 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate + + server s8 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com) + server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate + listen ssl-lst bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni + server s1 ${s1_addr}:${s1_port} + listen other-ssl-lst + bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list server s1 ${s1_addr}:${s1_port} + } -start @@ -97,3 +121,84 @@ expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } + + +# The following requests are aimed at a backend that uses the set_default_cert.crt-list file + +# Uses the www.test1.com sni +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3" + expect resp.status == 200 +} -run + +# Uses the other.test1.com sni and the default line of the crt-list +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3" + expect resp.status == 200 +} -run + +shell { + printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - +} + +# Certificate should not have changed yet +haproxy h1 -cli { + send "show ssl cert ${testdir}/set_default_cert.pem" + expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3" +} + +shell { + echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/set_default_cert.pem" + expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6" +} + +# Uses the www.test1.com sni +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6" + expect resp.status == 200 +} -run + +# Uses the other.test1.com sni and the default line of the crt-list +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6" + expect resp.status == 200 +} -run + +# Restore original certificate +shell { + printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/set_default_cert.pem" + expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB" +} + +# Uses the www.test1.com sni +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3" + expect resp.status == 200 +} -run + +# Uses the other.test1.com sni and the default line of the crt-list +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3" + expect resp.status == 200 +} -run diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_ssl_cert_bundle.vtc new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_ssl_cert_bundle.vtc --- old/haproxy-2.3.9+git1.afb63bc04/reg-tests/ssl/set_ssl_cert_bundle.vtc 1970-01-01 01:00:00.000000000 +0100 +++ new/haproxy-2.3.10+git0.4764f0e4e/reg-tests/ssl/set_ssl_cert_bundle.vtc 2021-04-23 18:51:30.000000000 +0200 @@ -0,0 +1,111 @@ +#REGTEST_TYPE=broken + +# This reg-test uses the "set ssl cert" command to update a multi-certificate +# bundle over the CLI. +# It requires socat to upload the certificate +# +# This regtests loads a multi-certificates bundle "cert1-example.com.pem" +# composed of a .rsa and a .ecdsa +# +# After verifying that the RSA and ECDSA algorithms were avalailble with the +# right certificate, the test changes the certificates and try new requests. +# +# If this test does not work anymore: +# - Check that you have socat +# - Check that you have at least OpenSSL 1.1.0 + +varnishtest "Test the 'set ssl cert' feature of the CLI with bundles" +#REQUIRE_VERSION=2.3 +#REQUIRE_OPTIONS=OPENSSL +#REQUIRE_BINARIES=socat +feature ignore_unknown_macro + +server s1 -repeat 9 { + rxreq + txresp +} -start + +haproxy h1 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-cipherlist-size 1 + stats socket "${tmpdir}/h1/stats" level admin + crt-base ${testdir} + + defaults + mode http + option httplog + ${no-htx} option http-use-htx + log stderr local0 debug err + option logasap + timeout connect 100ms + timeout client 1s + timeout server 1s + + listen clear-lst + bind "fd@${clearlst}" + balance roundrobin + + http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex] + + retries 0 # 2nd SSL connection must fail so skip the retry + server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256 + server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384 + + server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256 + server s4 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384 + + listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/cert1-example.com.pem + server s1 ${s1_addr}:${s1_port} + +} -start + + +haproxy h1 -cli { + send "show ssl cert ${testdir}/cert1-example.com.pem.rsa" + expect ~ ".*SHA1 FingerPrint: 94F720DACA71B8B1A0AC9BD48C65BA688FF047DE" + send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa" + expect ~ ".*SHA1 FingerPrint: C1BA055D452F92EB02D449F0498C289F50698300" +} + +client c1 -connect ${h1_clearlst_sock} { +# RSA + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "94F720DACA71B8B1A0AC9BD48C65BA688FF047DE" + expect resp.status == 200 +# ECDSA + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "C1BA055D452F92EB02D449F0498C289F50698300" + expect resp.status == 200 +} -run + +shell { + printf "set ssl cert ${testdir}/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/cert1-example.com.pem.rsa" + expect ~ ".*SHA1 FingerPrint: ADC863817FC40C2A9CA913CE45C9A92232558F90" + send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa" + expect ~ ".*SHA1 FingerPrint: F49FFA446D072262445C197B85D2F400B3F58808" +} + +client c1 -connect ${h1_clearlst_sock} { +# RSA + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "ADC863817FC40C2A9CA913CE45C9A92232558F90" + expect resp.status == 200 +# ECDSA + txreq + rxresp + expect resp.http.X-SSL-Server-SHA1 == "F49FFA446D072262445C197B85D2F400B3F58808" + expect resp.status == 200 +} -run + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/acl.c new/haproxy-2.3.10+git0.4764f0e4e/src/acl.c --- old/haproxy-2.3.9+git1.afb63bc04/src/acl.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/acl.c 2021-04-23 18:51:30.000000000 +0200 @@ -759,9 +759,9 @@ { .name = "TRUE", .expr = {"always_true",""}}, { .name = "FALSE", .expr = {"always_false",""}}, { .name = "LOCALHOST", .expr = {"src","127.0.0.1/8",""}}, - { .name = "HTTP", .expr = {"req_proto_http",""}}, - { .name = "HTTP_1.0", .expr = {"req_ver","1.0",""}}, - { .name = "HTTP_1.1", .expr = {"req_ver","1.1",""}}, + { .name = "HTTP", .expr = {"req.proto_http",""}}, + { .name = "HTTP_1.0", .expr = {"req.ver","1.0",""}}, + { .name = "HTTP_1.1", .expr = {"req.ver","1.1",""}}, { .name = "METH_CONNECT", .expr = {"method","CONNECT",""}}, { .name = "METH_DELETE", .expr = {"method","DELETE",""}}, { .name = "METH_GET", .expr = {"method","GET","HEAD",""}}, @@ -773,9 +773,9 @@ { .name = "HTTP_URL_ABS", .expr = {"url_reg","^[^/:]*://",""}}, { .name = "HTTP_URL_SLASH", .expr = {"url_beg","/",""}}, { .name = "HTTP_URL_STAR", .expr = {"url","*",""}}, - { .name = "HTTP_CONTENT", .expr = {"hdr_val(content-length)","gt","0",""}}, - { .name = "RDP_COOKIE", .expr = {"req_rdp_cookie_cnt","gt","0",""}}, - { .name = "REQ_CONTENT", .expr = {"req_len","gt","0",""}}, + { .name = "HTTP_CONTENT", .expr = {"req.hdr_val(content-length)","gt","0",""}}, + { .name = "RDP_COOKIE", .expr = {"req.rdp_cookie_cnt","gt","0",""}}, + { .name = "REQ_CONTENT", .expr = {"req.len","gt","0",""}}, { .name = "WAIT_END", .expr = {"wait_end",""}}, { .name = NULL, .expr = {""}} }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/cfgparse-global.c new/haproxy-2.3.10+git0.4764f0e4e/src/cfgparse-global.c --- old/haproxy-2.3.9+git1.afb63bc04/src/cfgparse-global.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/cfgparse-global.c 2021-04-23 18:51:30.000000000 +0200 @@ -1078,22 +1078,34 @@ } } } else { - /* Mapping at the thread level. All threads are retained - * for process 1, and only thread 1 is retained for other - * processes. + /* Mapping at the thread level. + * Either proc and/or thread must be 1 and only 1. All + * other combinations are silently ignored. */ if (thread == 0x1) { + int val; + /* first thread, iterate on processes. E.g. cpu-map 1-4/1 0-3 */ for (i = n = 0; i < MAX_PROCS; i++) { /* No mapping for this process */ if (!(proc & (1UL << i))) continue; - if (!autoinc) - global.cpu_map.proc_t1[i] = cpus; + + if (!autoinc) { + val = cpus; + } else { n += my_ffsl(cpus >> n); - global.cpu_map.proc_t1[i] = (1UL << (n-1)); + val = 1UL << (n - 1); } + + /* For first process, thread[0] is used. + * Use proc_t1[N] for all others + */ + if (!i) + global.cpu_map.thread[0] = val; + else + global.cpu_map.proc_t1[i] = val; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/check.c new/haproxy-2.3.10+git0.4764f0e4e/src/check.c --- old/haproxy-2.3.9+git1.afb63bc04/src/check.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/check.c 2021-04-23 18:51:30.000000000 +0200 @@ -1160,6 +1160,7 @@ /* 0- init the dummy frontend used to create all checks sessions */ init_new_proxy(&checks_fe); + checks_fe.id = strdup("CHECKS-FE"); checks_fe.cap = PR_CAP_FE | PR_CAP_BE; checks_fe.mode = PR_MODE_TCP; checks_fe.maxconn = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/connection.c new/haproxy-2.3.10+git0.4764f0e4e/src/connection.c --- old/haproxy-2.3.9+git1.afb63bc04/src/connection.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/connection.c 2021-04-23 18:51:30.000000000 +0200 @@ -1570,15 +1570,32 @@ /* return the major HTTP version as 1 or 2 depending on how the request arrived * before being processed. + * + * WARNING: Should be updated if a new major HTTP version is added. */ static int smp_fetch_fc_http_major(const struct arg *args, struct sample *smp, const char *kw, void *private) { - struct connection *conn = (kw[0] != 'b') ? objt_conn(smp->sess->origin) : - smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; + struct connection *conn = NULL; + + if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) + conn = (kw[0] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + else + conn = (kw[0] != 'b') ? objt_conn(smp->sess->origin) : + smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; + + /* No connection or a connection with a RAW muxx */ + if (!conn || (conn->mux && !(conn->mux->flags & MX_FL_HTX))) + return 0; + + /* No mux install, this may change */ + if (!conn->mux) { + smp->flags |= SMP_F_MAY_CHANGE; + return 0; + } smp->data.type = SMP_T_SINT; - smp->data.u.sint = (conn && strcmp(conn_get_mux_name(conn), "H2") == 0) ? 2 : 1; + smp->data.u.sint = (strcmp(conn_get_mux_name(conn), "H2") == 0) ? 2 : 1; return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/haproxy.c new/haproxy-2.3.10+git0.4764f0e4e/src/haproxy.c --- old/haproxy-2.3.9+git1.afb63bc04/src/haproxy.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/haproxy.c 2021-04-23 18:51:30.000000000 +0200 @@ -802,7 +802,7 @@ old_argc++; /* 1 for haproxy -sf, 2 for -x /socket */ - next_argv = calloc(old_argc + 1 + 2 + mworker_child_nb() + nb_oldpids + 1, + next_argv = calloc(old_argc + 1 + 2 + mworker_child_nb() + 1, sizeof(*next_argv)); if (next_argv == NULL) goto alloc_error; @@ -2670,6 +2670,7 @@ free(s->available_conns); free(s->curr_idle_thr); free(s->resolvers_id); + free(s->lb_nodes); if (s->use_ssl == 1 || s->check.use_ssl == 1 || (s->proxy->options & PR_O_TCPCHK_SSL)) { if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->destroy_srv) @@ -3316,13 +3317,6 @@ if ((global.mode & MODE_MWORKER) && !(global.mode & MODE_MWORKER_WAIT)) mworker_kill_max_reloads(SIGTERM); - if ((getenv("HAPROXY_MWORKER_REEXEC") == NULL)) { - nb_oldpids = 0; - free(oldpids); - oldpids = NULL; - } - - /* Note that any error at this stage will be fatal because we will not * be able to restart the old pids. */ @@ -3679,8 +3673,11 @@ #ifdef USE_CPU_AFFINITY /* Now the CPU affinity for all threads */ - if (global.cpu_map.proc_t1[relative_pid-1]) - global.cpu_map.thread[0] &= global.cpu_map.proc_t1[relative_pid-1]; + + /* If on multiprocess, use proc_t1 except for the first process. + */ + if ((relative_pid - 1) > 0) + global.cpu_map.thread[0] = global.cpu_map.proc_t1[relative_pid-1]; for (i = 0; i < global.nbthread; i++) { if (global.cpu_map.proc[relative_pid-1]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/http_fetch.c new/haproxy-2.3.10+git0.4764f0e4e/src/http_fetch.c --- old/haproxy-2.3.9+git1.afb63bc04/src/http_fetch.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/http_fetch.c 2021-04-23 18:51:30.000000000 +0200 @@ -347,7 +347,7 @@ return 0; } - htx = smp_prefetch_htx(smp, chn, NULL, 0); + htx = smp_prefetch_htx(smp, chn, NULL, 1); if (!htx) return 0; @@ -1015,7 +1015,7 @@ smp->data.u.str.data); temp->area[smp->data.u.str.data] = '\0'; len = url2ipv4((char *) temp->area, &smp->data.u.ipv4); - if (len == smp->data.u.str.data) { + if (len > 0 && len == smp->data.u.str.data) { /* plain IPv4 address */ smp->data.type = SMP_T_IPV4; break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/http_htx.c new/haproxy-2.3.10+git0.4764f0e4e/src/http_htx.c --- old/haproxy-2.3.9+git1.afb63bc04/src/http_htx.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/http_htx.c 2021-04-23 18:51:30.000000000 +0200 @@ -64,11 +64,9 @@ { struct htx_blk *blk; - BUG_ON(htx->first == -1); blk = htx_get_first_blk(htx); - if (!blk) + if (!blk || (htx_get_blk_type(blk) != HTX_BLK_REQ_SL && htx_get_blk_type(blk) != HTX_BLK_RES_SL)) return NULL; - BUG_ON(htx_get_blk_type(blk) != HTX_BLK_REQ_SL && htx_get_blk_type(blk) != HTX_BLK_RES_SL); return htx_get_blk_ptr(htx, blk); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/log.c new/haproxy-2.3.10+git0.4764f0e4e/src/log.c --- old/haproxy-2.3.9+git1.afb63bc04/src/log.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/log.c 2021-04-23 18:51:30.000000000 +0200 @@ -2120,9 +2120,9 @@ * A request error is reported as it's the only element we have * here and which justifies emitting such a log. */ - be = fe; + be = ((obj_type(sess->origin) == OBJ_TYPE_CHECK) ? __objt_check(sess->origin)->proxy : fe); txn = NULL; - be_conn = NULL; + be_conn = ((obj_type(sess->origin) == OBJ_TYPE_CHECK) ? cs_conn(__objt_check(sess->origin)->cs) : NULL); s_flags = SF_ERR_PRXCOND | SF_FINST_R; uniq_id = _HA_ATOMIC_XADD(&global.req_count, 1); @@ -2418,7 +2418,7 @@ if (iret == 0) goto out; tmplog += iret; - if (sess->listener->bind_conf->xprt == xprt_get(XPRT_SSL)) + if (sess->listener && sess->listener->bind_conf->xprt == xprt_get(XPRT_SSL)) LOGCHAR('~'); if (tmp->options & LOG_OPT_QUOTE) LOGCHAR('"'); @@ -2461,13 +2461,18 @@ break; case LOG_FMT_SERVER: // %s - switch (obj_type(s ? s->target : NULL)) { + switch (obj_type(s ? s->target : sess->origin)) { case OBJ_TYPE_SERVER: src = __objt_server(s->target)->id; break; case OBJ_TYPE_APPLET: src = __objt_applet(s->target)->name; break; + case OBJ_TYPE_CHECK: + src = (__objt_check(sess->origin)->server + ? __objt_check(sess->origin)->server->id + : "<NOSRV>"); + break; default: src = "<NOSRV>"; break; @@ -2668,9 +2673,21 @@ break; case LOG_FMT_SRVCONN: // %sc - ret = ultoa_o(objt_server(s ? s->target : NULL) ? - objt_server(s->target)->cur_sess : - 0, tmplog, dst + maxsize - tmplog); + switch (obj_type(s ? s->target : sess->origin)) { + case OBJ_TYPE_SERVER: + ret = ultoa_o(__objt_server(s->target)->cur_sess, + tmplog, dst + maxsize - tmplog); + break; + case OBJ_TYPE_CHECK: + ret = ultoa_o(__objt_check(sess->origin)->server + ? __objt_check(sess->origin)->server->cur_sess + : 0, tmplog, dst + maxsize - tmplog); + break; + default: + ret = ultoa_o(0, tmplog, dst + maxsize - tmplog); + break; + } + if (ret == NULL) goto out; tmplog = ret; @@ -2680,9 +2697,10 @@ case LOG_FMT_RETRIES: // %rq if (s_flags & SF_REDISP) LOGCHAR('+'); - ret = ltoa_o((s && s->si[1].conn_retries > 0) ? - (be->conn_retries - s->si[1].conn_retries) : - be->conn_retries, tmplog, dst + maxsize - tmplog); + ret = ltoa_o(((s && s->si[1].conn_retries > 0) + ? (be->conn_retries - s->si[1].conn_retries) + : ((s && s->si[1].state != SI_ST_INI) ? be->conn_retries : 0)), + tmplog, dst + maxsize - tmplog); if (ret == NULL) goto out; tmplog = ret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/mux_h1.c new/haproxy-2.3.10+git0.4764f0e4e/src/mux_h1.c --- old/haproxy-2.3.9+git1.afb63bc04/src/mux_h1.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/mux_h1.c 2021-04-23 18:51:30.000000000 +0200 @@ -2246,6 +2246,8 @@ if (!h1s_create(h1c, NULL, NULL)) goto release; } + else if (conn_is_back(conn) && (h1c->flags & H1C_F_CS_IDLE) && b_data(&h1c->ibuf)) + goto release; else goto end; h1s = h1c->h1s; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/mux_h2.c new/haproxy-2.3.10+git0.4764f0e4e/src/mux_h2.c --- old/haproxy-2.3.9+git1.afb63bc04/src/mux_h2.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/mux_h2.c 2021-04-23 18:51:30.000000000 +0200 @@ -3566,17 +3566,17 @@ ret = max ? conn->xprt->rcv_buf(conn, conn->xprt_ctx, buf, max, 0) : 0; - if (max && !ret) { - if (conn_xprt_read0_pending(h2c->conn)) { - TRACE_DATA("received read0", H2_EV_H2C_RECV, h2c->conn); - h2c->flags |= H2_CF_RCVD_SHUT; - } else if (h2_recv_allowed(h2c)) { - TRACE_DATA("failed to receive data, subscribing", H2_EV_H2C_RECV, h2c->conn); - conn->xprt->subscribe(conn, conn->xprt_ctx, SUB_RETRY_RECV, &h2c->wait_event); - } + if (max && !ret && h2_recv_allowed(h2c)) { + TRACE_DATA("failed to receive data, subscribing", H2_EV_H2C_RECV, h2c->conn); + conn->xprt->subscribe(conn, conn->xprt_ctx, SUB_RETRY_RECV, &h2c->wait_event); } else if (ret) TRACE_DATA("received data", H2_EV_H2C_RECV, h2c->conn, 0, 0, (void*)(long)ret); + if (conn_xprt_read0_pending(h2c->conn)) { + TRACE_DATA("received read0", H2_EV_H2C_RECV, h2c->conn); + h2c->flags |= H2_CF_RCVD_SHUT; + } + if (!b_data(buf)) { h2_release_buf(h2c, &h2c->dbuf); TRACE_LEAVE(H2_EV_H2C_RECV, h2c->conn); @@ -4559,7 +4559,7 @@ * above). The hole moves after the new aggragated frame. */ b_move(&h2c->dbuf, b_peek_ofs(&h2c->dbuf, h2c->dfl + hole + 9), clen, -(h2c->dpl + hole + 9)); - h2c->dfl += clen - h2c->dpl; + h2c->dfl += hdr.len - h2c->dpl; hole += h2c->dpl + 9; h2c->dpl = 0; TRACE_STATE("waiting for next continuation frame", H2_EV_RX_FRAME|H2_EV_RX_FHDR|H2_EV_RX_CONT|H2_EV_RX_HDR, h2c->conn); @@ -4694,7 +4694,7 @@ b_sub(&h2c->dbuf, hole); } - if (b_full(&h2c->dbuf) && h2c->dfl >= b_data(&h2c->dbuf)) { + if (b_full(&h2c->dbuf) && h2c->dfl) { /* too large frames */ h2c_error(h2c, H2_ERR_INTERNAL_ERROR); ret = -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/peers.c new/haproxy-2.3.10+git0.4764f0e4e/src/peers.c --- old/haproxy-2.3.9+git1.afb63bc04/src/peers.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/peers.c 2021-04-23 18:51:30.000000000 +0200 @@ -2217,7 +2217,7 @@ } HA_SPIN_UNLOCK(STK_TABLE_LOCK, &st->table->lock); } - else { + else if (!(peer->flags & PEER_F_TEACH_FINISHED)) { if (!(st->flags & SHTABLE_F_TEACH_STAGE1)) { repl = peer_send_teach_stage1_msgs(appctx, peer, st); if (repl <= 0) @@ -3031,20 +3031,20 @@ /* add DO NOT STOP flag if not present */ _HA_ATOMIC_ADD(&jobs, 1); peers->flags |= PEERS_F_DONOTSTOP; - ps = peers->local; - for (st = ps->tables; st ; st = st->next) - st->table->syncing++; - } - /* disconnect all connected peers */ - for (ps = peers->remote; ps; ps = ps->next) { - /* we're killing a connection, we must apply a random delay before - * retrying otherwise the other end will do the same and we can loop - * for a while. + /* disconnect all connected peers to process a local sync + * this must be done only the first time we are switching + * in stopping state */ - ps->reconnect = tick_add(now_ms, MS_TO_TICKS(50 + ha_random() % 2000)); - if (ps->appctx) { - peer_session_forceshutdown(ps); + for (ps = peers->remote; ps; ps = ps->next) { + /* we're killing a connection, we must apply a random delay before + * retrying otherwise the other end will do the same and we can loop + * for a while. + */ + ps->reconnect = tick_add(now_ms, MS_TO_TICKS(50 + ha_random() % 2000)); + if (ps->appctx) { + peer_session_forceshutdown(ps); + } } } } @@ -3056,7 +3056,7 @@ _HA_ATOMIC_SUB(&jobs, 1); peers->flags &= ~PEERS_F_DONOTSTOP; for (st = ps->tables; st ; st = st->next) - st->table->syncing--; + _HA_ATOMIC_SUB(&st->table->refcnt, 1); } } else if (!ps->appctx) { @@ -3070,8 +3070,10 @@ * or previous tcp connect succeeded but init state incomplete * or during previous connect, peer replies a try again statuscode */ - /* connect to the peer */ - peer_session_create(peers, ps); + /* connect to the local peer if we must push a local sync */ + if (peers->flags & PEERS_F_DONOTSTOP) { + peer_session_create(peers, ps); + } } else { /* Other error cases */ @@ -3080,7 +3082,7 @@ _HA_ATOMIC_SUB(&jobs, 1); peers->flags &= ~PEERS_F_DONOTSTOP; for (st = ps->tables; st ; st = st->next) - st->table->syncing--; + _HA_ATOMIC_SUB(&st->table->refcnt, 1); } } } @@ -3292,6 +3294,13 @@ id = curpeer->tables->local_id; st->local_id = id + 1; + /* If peer is local we inc table + * refcnt to protect against flush + * until this process pushed all + * table content to the new one + */ + if (curpeer->local) + _HA_ATOMIC_ADD(&st->table->refcnt, 1); curpeer->tables = st; } @@ -3472,8 +3481,8 @@ st->last_acked, st->last_pushed, st->last_get, st->teaching_origin, st->update); chunk_appendf(&trash, "\n table:%p id=%s update=%u localupdate=%u" - " commitupdate=%u syncing=%u", - t, t->id, t->update, t->localupdate, t->commitupdate, t->syncing); + " commitupdate=%u refcnt=%u", + t, t->id, t->update, t->localupdate, t->commitupdate, t->refcnt); chunk_appendf(&trash, "\n TX dictionary cache:"); count = 0; for (i = 0; i < dcache->max_entries; i++) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/proxy.c new/haproxy-2.3.10+git0.4764f0e4e/src/proxy.c --- old/haproxy-2.3.9+git1.afb63bc04/src/proxy.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/proxy.c 2021-04-23 18:51:30.000000000 +0200 @@ -1122,7 +1122,13 @@ * However we protect tables that are being synced to peers. */ if (unlikely(stopping && p->disabled && p->table && p->table->current)) { - if (!p->table->syncing) { + + if (!p->table->refcnt) { + /* !table->refcnt means there + * is no more pending full resync + * to push to a new process and + * we are free to flush the table. + */ stktable_trash_oldest(p->table, p->table->current); pool_gc(NULL); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/sample.c new/haproxy-2.3.10+git0.4764f0e4e/src/sample.c --- old/haproxy-2.3.9+git1.afb63bc04/src/sample.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/sample.c 2021-04-23 18:51:30.000000000 +0200 @@ -2526,13 +2526,13 @@ if (!smp->data.u.str.data) return 1; - smp->data.u.str.area = start; - /* Compute remaining size if needed Note: smp->data.u.str.size cannot be set to 0 */ if (smp->data.u.str.size) smp->data.u.str.size -= start - smp->data.u.str.area; + smp->data.u.str.area = start; + return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/ssl_ckch.c new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_ckch.c --- old/haproxy-2.3.9+git1.afb63bc04/src/ssl_ckch.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_ckch.c 2021-04-23 18:51:30.000000000 +0200 @@ -913,6 +913,8 @@ ebmb_delete(&sni->name); free(sni); } + SSL_CTX_free(inst->ctx); + inst->ctx = NULL; LIST_DEL(&inst->by_ckchs); LIST_DEL(&inst->by_crtlist_entry); free(inst); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/ssl_crtlist.c new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_crtlist.c --- old/haproxy-2.3.9+git1.afb63bc04/src/ssl_crtlist.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_crtlist.c 2021-04-23 18:51:30.000000000 +0200 @@ -1314,6 +1314,7 @@ int linenum = 0; char *colons; char *end; + int error_message_dumped = 0; if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) return 1; @@ -1394,6 +1395,20 @@ goto error; } + /* Iterate over all the instances in order to see if any of them is a + * default instance. If this is the case, the entry won't be suppressed. */ + list_for_each_entry_safe(inst, inst_s, &entry->ckch_inst, by_crtlist_entry) { + if (inst->is_default && !inst->bind_conf->strict_sni) { + if (!error_message_dumped) { + memprintf(&err, "certificate '%s' cannot be deleted, it is used as default certificate by the following frontends:\n", cert_path); + error_message_dumped = 1; + } + memprintf(&err, "%s\t- %s:%d\n", err, inst->bind_conf->file, inst->bind_conf->line); + } + } + if (error_message_dumped) + goto error; + /* upon error free the ckch_inst and everything inside */ ebpt_delete(&entry->node); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/ssl_sample.c new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_sample.c --- old/haproxy-2.3.9+git1.afb63bc04/src/ssl_sample.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_sample.c 2021-04-23 18:51:30.000000000 +0200 @@ -743,7 +743,7 @@ struct connection *conn; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -780,7 +780,7 @@ SSL *ssl; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -803,7 +803,7 @@ SSL *ssl; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -837,7 +837,7 @@ int sint; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -868,7 +868,7 @@ SSL *ssl; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -900,7 +900,7 @@ smp->data.type = SMP_T_STR; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -935,7 +935,7 @@ smp->data.type = SMP_T_STR; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -968,7 +968,7 @@ SSL *ssl; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -1006,7 +1006,7 @@ smp->data.type = SMP_T_BIN; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -1038,7 +1038,7 @@ SSL *ssl; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -1075,7 +1075,7 @@ SSL *ssl; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; @@ -1293,7 +1293,7 @@ SSL *ssl; if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) - conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; else conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/ssl_sock.c new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_sock.c --- old/haproxy-2.3.9+git1.afb63bc04/src/ssl_sock.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/ssl_sock.c 2021-04-23 18:51:30.000000000 +0200 @@ -2886,7 +2886,6 @@ struct sni_ctx *sc0, *sc0b, *sc1; struct ebmb_node *node; - int def = 0; list_for_each_entry_safe(sc0, sc0b, &ckch_inst->sni_ctx, by_ckch_inst) { @@ -2921,14 +2920,13 @@ ebst_insert(&bind_conf->sni_w_ctx, &sc0->name); else ebst_insert(&bind_conf->sni_ctx, &sc0->name); + } - /* replace the default_ctx if required with the first ctx */ - if (ckch_inst->is_default && !def) { - SSL_CTX_free(bind_conf->default_ctx); - SSL_CTX_up_ref(sc0->ctx); - bind_conf->default_ctx = sc0->ctx; - def = 1; - } + /* replace the default_ctx if required with the instance's ctx. */ + if (ckch_inst->is_default) { + SSL_CTX_free(bind_conf->default_ctx); + SSL_CTX_up_ref(ckch_inst->ctx); + bind_conf->default_ctx = ckch_inst->ctx; } } @@ -3299,6 +3297,12 @@ SSL_CTX_up_ref(ctx); } + /* Always keep a reference to the newly constructed SSL_CTX in the + * instance. This way if the instance has no SNIs, the SSL_CTX will + * still be linked. */ + SSL_CTX_up_ref(ctx); + ckch_inst->ctx = ctx; + /* everything succeed, the ckch instance can be used */ ckch_inst->bind_conf = bind_conf; ckch_inst->ssl_conf = ssl_conf; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/tcp_act.c new/haproxy-2.3.10+git0.4764f0e4e/src/tcp_act.c --- old/haproxy-2.3.9+git1.afb63bc04/src/tcp_act.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/tcp_act.c 2021-04-23 18:51:30.000000000 +0200 @@ -207,7 +207,17 @@ * network and has no effect on local net. */ #ifdef IP_TTL - setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one)); + if (conn->src && conn->src->ss_family == AF_INET) + setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one)); +#endif +#ifdef IPV6_UNICAST_HOPS +#if defined(SOL_IPV6) + if (conn->src && conn->src->ss_family == AF_INET6) + setsockopt(conn->handle.fd, SOL_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one)); +#elif defined(IPPROTO_IPV6) + if (conn->src && conn->src->ss_family == AF_INET6) + setsockopt(conn->handle.fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one)); +#endif #endif out: /* kill the stream if any */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-2.3.9+git1.afb63bc04/src/tools.c new/haproxy-2.3.10+git0.4764f0e4e/src/tools.c --- old/haproxy-2.3.9+git1.afb63bc04/src/tools.c 2021-03-30 18:51:07.000000000 +0200 +++ new/haproxy-2.3.10+git0.4764f0e4e/src/tools.c 2021-04-23 18:51:30.000000000 +0200 @@ -2260,6 +2260,7 @@ if (text[1] == 's') { idiv = 1000000; text++; + break; } return text; case 'm': /* millisecond : "ms" or minute: "m" */
