On Wed, 23 Jan 2019 at 09:52, Willy Tarreau <[email protected]> wrote: > > On Wed, Jan 23, 2019 at 12:07:04AM -0800, Dirkjan Bussink wrote: > > Of course, you're right. New version of the patch attached! > > Now merged, thank you!
It's obvious, but because the commit message doesn't not explicitly mention it: This must be backported to 1.8. Also, we need a big fat warning that all TLSv1.3 users must upgrade in the next 1.8 and 1.9 stable version announcement containing this fix. I have filed a tracking bug for this, which can be closed when backported: https://github.com/haproxy/haproxy/issues/24 Closed or not, the tracking bug makes this easier to find. > I tested all my servers and I've noticed that nginx is broken too. I > am running nginx 1.14.2 with OpenSSL 1.1.1a The nginx source contains > exactly the same function as haproxy: > https://trac.nginx.org/nginx/browser/nginx/src/event/ngx_event_openssl.c?rev=ebf8c9686b8ce7428f975d8a567935ea3722da70#L850 > > However, it seems that it might have been fixed in 1.15.2 by this commit: > https://trac.nginx.org/nginx/changeset/e3ba4026c02d2c1810fd6f2cecf499fc39dde5ee/nginx/src/event/ngx_event_openssl.c Thanks for this. It's actually nginx 1.15.4 (September 2018) where this commit is present. Are nginx folks aware of the problem? It would probably be wise for them to backport the fix to their 1.14 tree ... > And just for reference, I've found Chrome bug with this problem (as I > am interested when this will get enabled to keep all my systems > updated) https://bugs.chromium.org/p/chromium/issues/detail?id=923685 Thanks, will subscribe to this bug also. Regards, Lukas
