Your message dated Wed, 06 May 2015 07:52:31 +0200 with message-id <[email protected]> and subject line Fixed in later versions has caused the Debian Bug report #776384, regarding haproxy: Loading order of SSL certificates is unpredictable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 776384: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776384 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: haproxy Version: 1.5.8-1~bpo70+1 Severity: normal Tags: patch upstream Dear Maintainer, HAproxy currently uses readdir() function to list the directory where the SSL certificates are stored. As readdir() does not guarantee any order in the listing (neither alphabetical nor time ordered one), this can lead to a situation where two members of an active/passive HAProxy "cluster" behave differently without any information about it resulting in misbehaviour for non SNI aware devices. Based on the report you can find here[1] a patch has been provided by Cyril Bonté and accepted upstream. You can find this patch here[2]. It would be great if you could include it before the next jessie is released. If not possible at all because of the freeze, any future inclusion of this patch before the next HAProxy stable release would be welcome :) Please note, that until patched, the workaround exists and consists in forcing the correct default certificate to be loaded in the bind directive: frontend bla ... bind A.B.C.D:444 ssl crt /etc/haproxy/ssl/my-default-certificate.pem crt /etc/haproxy/ssl/ ... ... Thanks and best regards, Raphaël P.S. I'm reporting the bug on the backport package but it definitely concerns all HAProxy versions currently in Debian as it is an upstream related "bug". [1] http://marc.info/?l=haproxy&m=142107911132411&w=2 [2] http://marc.info/?l=haproxy&m=142214143425201&w=2 -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/24 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages haproxy depends on: ii adduser 3.113+nmu3 ii init-system-helpers 1.18~bpo70+1 ii libc6 2.13-38+deb7u6 ii libpcre3 1:8.30-5 ii libssl1.0.0 1.0.1e-2+deb7u13 ii zlib1g 1:1.2.7.dfsg-13 haproxy recommends no packages. Versions of packages haproxy suggests: pn haproxy-doc <none> pn vim-haproxy <none> -- Configuration Files: /etc/haproxy/haproxy.cfg changed [not included] -- debconf-show failed
--- End Message ---
--- Begin Message ---All those bugs are now fixed in later versions. -- Make input easy to prepare and output self-explanatory. - The Elements of Programming Style (Kernighan & Plauger)
--- End Message ---
