Hi,

HAProxy 2.3.16 was released on 2021/11/24. It added 18 new commits
after version 2.3.15.

As announced for the 2.4.9, this release contains fixes about hidden bugs
recently exposed about the shutdowns management at the conn-stream
level. The client connections close could be delayed by the client
timeout. In addition, because of a failed backport, affecting the 2.2 too,
H1 responses could be truncated. All these bugs was fixed.

The H2 multiplexer fix to drains data and be sure to send GOAWAY frame was
finally backported. It was erroneously announced for the 2.3.15. As side
effect, the caching of TLS sessions is now fixed for H2 connections. Still
on the H2 multiplexer, an incomplete old fix for H2 partial frames was
fixed. It caused some high CPU usages in h2_io_cb() on some rare occasions.

Issues reported about occasional crashed in the cache (#1284 and #1451) was
fixed. A missing break statement was the explanation.

A bug with the "program" post-parser was fixed. It could be called with an
empty programs list in case of a config parsing error on reload after
another error, and could crash.

http-response rulesets evaluation was not aligned with what is said in the
documentation. It was possible to inhibit the frontend rules evaluation with
an "allow" rule in the backend section while it should instead only stop
backend rules evaluation. This bug exists since the beginning and only
concerns the "allow" rule. It was fixed and http-after-response rulesets
evaluation was also fixed in the same way.

William's fixes about the SSL was backported. First, outgoing TLS
connections involving SNI can now be resumed in TLS 1.3. Then, the right
error is not reported during SSL handshake when a non-matching SNI is found
with the strict-sni option enabled. A "unrecognized name" error is returned
instead of "handshake failure". As a side effect, this fixes the TLS resume
for non-matching SNI, rejecting the connections.

Thanks everyone for your help and your contributions!

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Wiki             : https://github.com/haproxy/wiki/wiki
   Sources          : http://www.haproxy.org/download/2.3/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.3.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git
   Changelog        : http://www.haproxy.org/download/2.3/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/


---
Complete changelog :
Christopher Faulet (8):
      BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value
      DOC: config: Fix typo in ssl_fc_unique_id description
      BUG/MINOR: http-ana: Apply stop to the current section for http-response 
rules
      Revert "BUG/MINOR: http-ana: Don't eval front after-response rules if stopped 
on back"
      DOC: lua: Be explicit with the Reply object limits
      BUG/MEDIUM: conn-stream: Don't reset CS flags on close
      BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
      BUG/MINOR: stick-table/cli: Check for invalid ipv6 key

William Lallemand (3):
      BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
      BUG/MINOR: mworker: doesn't launch the program postparser
      BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found

Willy Tarreau (7):
      BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
      MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
      MINOR: mux-h2: perform a full cycle shutdown+drain on close
      BUG/MEDIUM: mux-h2: always process a pending shut read
      BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
      BUG/MINOR: shctx: do not look for available blocks when the first one is 
enough
      MINOR: shctx: add a few BUG_ON() for consistency checks

--
Christopher Faulet

Reply via email to