Hello Willy, thanks to ssl_c_der! Can you implement ssl_c_pem like in nginx (ssl_client_raw_cert) ?
/---/ */Best regards,/* /Eugene Istomin/ > Hi all! > > At last, a release before the end of the week so that those of us with > a bad weather have something to do on Friday and something to fear for > the week-end :-) > > Just as for 1.5.6 two weeks ago, we have a small bunch of fixes for 1.5.7. > - A nasty bug reported by Dmitry Sivachenko can cause haproxy to die in > some rare cases when a monitoring system issues a lot of "show sess" > commands on the CLI and aborts them in the middle of a transfer. The > probability to hit it is so low that it has existed since v1.4 and was > only noticed now. > > - Cyril Bonté fixed a bug causing wrong flags to be sometimes reported > in the logs for keep-alive requests. > > - A bug where the PROXY protocol is used with a banner protocol causes > an extra 200ms delay for the request to leave, slowing down connection > establishment to SMTP or FTP servers. I think this won't change anything > for such users given that those connections are generally quite long. > > - Christian Ruppert found and fixed a bug in the way regex are compiled > when HAProxy is built with support for PCRE_JIT but the libpcre is built > without. > > - The way original connection addresses are detected on a system where > connections are NAT'd by Netfilter was fixed so that we wouldn't report > IPv4 destination addresses for v6-mapped v4 addresses. This used to > cause the PROXY protocol to emit "UNKNOWN" as the address families differed > for the source and destination! > > - John Leach reported an interesting bug in the way SSL certificates were > loaded : if a certificate with an invalid subject (no parsable CN) is > loaded as the first in the list, its context will not be updated with > the bind line arguments, resulting in such a certificate to accept SSLv3 > despite the "no-sslv3" keyword. That was diagnosed and fixed by Emeric. > > - Emeric also implemented the global "ssl-default-bind-options" and > "ssl-default-server-options" keywords, and implemented "ssl_c_der" and > "ssl_f_der" to pass the full raw certificate to the server if needed. > I've backported them from 1.6-dev to 1.5 because I feel a general demand > for making SSL safe and easy to configure. > > And that's all for this version! Nothing critical again, but we're just > trying to keep a fast pace to eliminate each and every bug and try to react > quickly to bug reports. > > BTW I have a few patches pending for 1.4 and Cyril reminded me that we > still have this awful http-send-name-header which is partially broken > there and that we aren' absolutely sure how to definitely fix correctly > without risking to break something else :-( There are features I wish > I had never merged in certain versions :-/ > > Concerning 1.6, I'm still working on enumerating the changes needed to > support HTTP/2. At the moment I'm working with two lists in parallel : the > shortest path and the durable one. What's sad is that it seems they're very > close to each other. But the good thing is that I think it should be doable > for the 1.6 timeframe. Since that's only paper work and code review for > now, it explains why there is very little activity on the code base for > now. Let's hope it'll take off soon :-) > > Here's the full changelog for 1.5.7 : > > - BUG/MEDIUM: regex: fix pcre_study error handling > - BUG/MINOR: log: fix request flags when keep-alive is enabled > - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER > formatted certs - MINOR: ssl: add statement to force some ssl options in > global. - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid > certificates - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR > - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error > - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol > - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets > > Usual URLs below : > Site index : http://www.haproxy.org/ > Sources : http://www.haproxy.org/download/1.5/src/ > Git repository : http://git.haproxy.org/git/haproxy-1.5.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-1.5.git > Changelog : http://www.haproxy.org/download/1.5/src/CHANGELOG > Cyril's HTML doc : > http://cbonte.github.com/haproxy-dconv/configuration-1.5.html > > Willy
