Hi, HAProxy 2.3.16 was released on 2021/11/24. It added 18 new commits after version 2.3.15.
As announced for the 2.4.9, this release contains fixes about hidden bugs recently exposed about the shutdowns management at the conn-stream level. The client connections close could be delayed by the client timeout. In addition, because of a failed backport, affecting the 2.2 too, H1 responses could be truncated. All these bugs was fixed. The H2 multiplexer fix to drains data and be sure to send GOAWAY frame was finally backported. It was erroneously announced for the 2.3.15. As side effect, the caching of TLS sessions is now fixed for H2 connections. Still on the H2 multiplexer, an incomplete old fix for H2 partial frames was fixed. It caused some high CPU usages in h2_io_cb() on some rare occasions. Issues reported about occasional crashed in the cache (#1284 and #1451) was fixed. A missing break statement was the explanation. A bug with the "program" post-parser was fixed. It could be called with an empty programs list in case of a config parsing error on reload after another error, and could crash. http-response rulesets evaluation was not aligned with what is said in the documentation. It was possible to inhibit the frontend rules evaluation with an "allow" rule in the backend section while it should instead only stop backend rules evaluation. This bug exists since the beginning and only concerns the "allow" rule. It was fixed and http-after-response rulesets evaluation was also fixed in the same way. William's fixes about the SSL was backported. First, outgoing TLS connections involving SNI can now be resumed in TLS 1.3. Then, the right error is not reported during SSL handshake when a non-matching SNI is found with the strict-sni option enabled. A "unrecognized name" error is returned instead of "handshake failure". As a side effect, this fixes the TLS resume for non-matching SNI, rejecting the connections. Thanks everyone for your help and your contributions! Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.3/src/ Git repository : http://git.haproxy.org/git/haproxy-2.3.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git Changelog : http://www.haproxy.org/download/2.3/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Christopher Faulet (8): BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value DOC: config: Fix typo in ssl_fc_unique_id description BUG/MINOR: http-ana: Apply stop to the current section for http-response rules Revert "BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back" DOC: lua: Be explicit with the Reply object limits BUG/MEDIUM: conn-stream: Don't reset CS flags on close BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value BUG/MINOR: stick-table/cli: Check for invalid ipv6 key William Lallemand (3): BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3 BUG/MINOR: mworker: doesn't launch the program postparser BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found Willy Tarreau (7): BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close MINOR: mux-h2: perform a full cycle shutdown+drain on close BUG/MEDIUM: mux-h2: always process a pending shut read BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found BUG/MINOR: shctx: do not look for available blocks when the first one is enough MINOR: shctx: add a few BUG_ON() for consistency checks -- Christopher Faulet