Hi all!
At last, a release before the end of the week so that those of us with
a bad weather have something to do on Friday and something to fear for
the week-end :-)
Just as for 1.5.6 two weeks ago, we have a small bunch of fixes for 1.5.7.
- A nasty bug reported by Dmitry Sivachenko can cause haproxy to die in
some rare cases when a monitoring system issues a lot of "show sess"
commands on the CLI and aborts them in the middle of a transfer. The
probability to hit it is so low that it has existed since v1.4 and was
only noticed now.
- Cyril Bonté fixed a bug causing wrong flags to be sometimes reported
in the logs for keep-alive requests.
- A bug where the PROXY protocol is used with a banner protocol causes
an extra 200ms delay for the request to leave, slowing down connection
establishment to SMTP or FTP servers. I think this won't change anything
for such users given that those connections are generally quite long.
- Christian Ruppert found and fixed a bug in the way regex are compiled
when HAProxy is built with support for PCRE_JIT but the libpcre is built
without.
- The way original connection addresses are detected on a system where
connections are NAT'd by Netfilter was fixed so that we wouldn't report
IPv4 destination addresses for v6-mapped v4 addresses. This used to cause
the PROXY protocol to emit "UNKNOWN" as the address families differed
for the source and destination!
- John Leach reported an interesting bug in the way SSL certificates were
loaded : if a certificate with an invalid subject (no parsable CN) is
loaded as the first in the list, its context will not be updated with the
bind line arguments, resulting in such a certificate to accept SSLv3
despite the "no-sslv3" keyword. That was diagnosed and fixed by Emeric.
- Emeric also implemented the global "ssl-default-bind-options" and
"ssl-default-server-options" keywords, and implemented "ssl_c_der" and
"ssl_f_der" to pass the full raw certificate to the server if needed. I've
backported them from 1.6-dev to 1.5 because I feel a general demand for
making SSL safe and easy to configure.
And that's all for this version! Nothing critical again, but we're just
trying to keep a fast pace to eliminate each and every bug and try to react
quickly to bug reports.
BTW I have a few patches pending for 1.4 and Cyril reminded me that we
still have this awful http-send-name-header which is partially broken
there and that we aren' absolutely sure how to definitely fix correctly
without risking to break something else :-( There are features I wish
I had never merged in certain versions :-/
Concerning 1.6, I'm still working on enumerating the changes needed to support
HTTP/2. At the moment I'm working with two lists in parallel : the shortest
path and the durable one. What's sad is that it seems they're very close to
each other. But the good thing is that I think it should be doable for the
1.6 timeframe. Since that's only paper work and code review for now, it
explains why there is very little activity on the code base for now. Let's
hope it'll take off soon :-)
Here's the full changelog for 1.5.7 :
- BUG/MEDIUM: regex: fix pcre_study error handling
- BUG/MINOR: log: fix request flags when keep-alive is enabled
- MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER
formatted certs
- MINOR: ssl: add statement to force some ssl options in global.
- BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
- BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
- BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
- BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets
Usual URLs below :
Site index : http://www.haproxy.org/
Sources : http://www.haproxy.org/download/1.5/src/
Git repository : http://git.haproxy.org/git/haproxy-1.5.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.5.git
Changelog : http://www.haproxy.org/download/1.5/src/CHANGELOG
Cyril's HTML doc :
http://cbonte.github.com/haproxy-dconv/configuration-1.5.html
Willy
