Thank you for clarification. Regard Aleks
-------- Ursprüngliche Nachricht -------- Von: Adam Langley <[email protected]> Gesendet: 21. Jänner 2019 00:12:59 MEZ An: Aleksandar Lazic <[email protected]> CC: [email protected], Willy Tarreau <[email protected]>, [email protected] Betreff: Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used. On Sun, Jan 20, 2019 at 3:04 PM Aleksandar Lazic <[email protected]> wrote: > which refers to > https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html > > instead of the suggested Patch? The SSL_key_update function enqueues a KeyUpdate message to be sent. The problem is that if a /client/ of HAProxy sends a KeyUpdate, HAProxy thinks that it's a pre-TLS 1.3 renegotiation message and drops the connection. Thus the patch seeks to address that. HAProxy may also want to do something like send a KeyUpdate for every x MBs of data sent, or y minutes of time elapsed, but that would be a separate feature. (And one needs to be a little cautious because OpenSSL 1.1.1 will only accept 32 KeyUpdate messages per connection.) Cheers AGL

