Thank you for clarification.


-------- Urspr√ľngliche Nachricht --------
Von: Adam Langley <>
Gesendet: 21. Jänner 2019 00:12:59 MEZ
An: Aleksandar Lazic <>
CC:, Willy Tarreau <>,
Betreff: Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

On Sun, Jan 20, 2019 at 3:04 PM Aleksandar Lazic <> wrote:
> which refers to 
> instead of the  suggested Patch?

The SSL_key_update function enqueues a KeyUpdate message to be sent.
The problem is that if a /client/ of HAProxy sends a KeyUpdate,
HAProxy thinks that it's a pre-TLS 1.3 renegotiation message and drops
the connection.

Thus the patch seeks to address that. HAProxy may also want to do
something like send a KeyUpdate for every x MBs of data sent, or y
minutes of time elapsed, but that would be a separate feature. (And
one needs to be a little cautious because OpenSSL 1.1.1 will only
accept 32 KeyUpdate messages per connection.)



Reply via email to