Hi,
HAProxy 2.4.10 was released on 2021/12/23. It added 19 new commits
after version 2.4.9.
We've been digging with Tim, William and Christopher on a rather strange
looking issue that affects most users of SSL+SNI on servers and which by
itself deserves a fix. This issue stems from an old harmless bug that was
fixed during 2.5 but woken up by a recent fix for SNI in TLSv1.3. When a
server-side idle connection is reused, the configured SNI was set again
on the connection and that had the undesired side effect of resetting the
session's context, resulting in garbage being sent to the server, and the
request not being decipherable and the connection being reset, with the
error being propagated to the client side. This is what was causing some
RST_STREAM errors that some have noticed in their browsers. While this is
particularly annoying, among the garbage observed on the wire, we've even
noticed some clear text requests (as if openssl was using a NULL cipher),
which is sufficiently serious to deserve a quick fix.
The analysis indicates that 2.3 has the same issue, so a fix is warranted
there, but upgrading to 2.4.10 will fix it as well and I do not expect to
see that many 2.3 users anymore since it dies in a few months. Alternately
a temporary rollback to 2.3.15 would suffice. For 2.2 we're not certain,
but a recent issue report might indicate similar symptoms. However the fix
is not trivial to backport there so another option might be to revert the
aforementioned fix for now (which is currently under investigation).
2.5 and above are not affected.
Among the other relevant issues fixed in this version, here's what comes
to my mind:
- using multiple log-forward sections would crash after parsing the
config, that's now fixed.
- possible crash on master CLI when trying to enter an old pid when
in prompt mode
- yet another risk of crash on resolvers was fixed, this time when
getting a response error, because some invalid elements could be
left in the list.
- a possible crash when adding a server on the CLI with a custom ID
because the key was not properly initialized.
- some server-side SSL settings could be lost when using more than
one default-server directive. Note: according to issue #1488
(https://github.com/haproxy/haproxy/issues/1488) it seems that this
fix is still not sufficient, but I don't know more at this point;
it's already difficult to circle between bugs, it's even harder in
this period to collect all info about previously validated fixes,
so those suffering from this are invited to stay tuned.
- a workaround for a possibly slow malloc_trim() in modern libcs upon
reload when using many threads, that could be slow enough to panic
the old process.
- a few build fixes and doc fixes.
Please note that these are only the previously pending fixes with the last
ones merged. The period isn't great to deliver fixes, there's no emergency
but at least those who will have a quieter time next week might prefer to
use that time to apply fixes. As usual I'm definitely not encouraging anyone
to deploy on a Friday afternoon, especially this one. If you're not using
"sni" on your server lines, better wait for some quieter time or for next
release.
There are still a number of annoying issues under investigation for 2.4:
- https://github.com/haproxy/haproxy/issues/1488
double-free issue with SSL and default-server
- https://github.com/haproxy/haproxy/issues/1499
newly reported possible memory leak (not validated yet)
- https://github.com/haproxy/haproxy/issues/1494
crash of 2.4.9 in the SSL stack, still not understood. Trace
under analysis.
- https://github.com/haproxy/haproxy/issues/1498
an interoperability issue with nghttp client when forcing a headers
table size to zero. This is currently being discussed within the HTTP
working group as it looks like there are two possible interpretations
of the spec, and that most servers implement it similar to haproxy
(and fail with nghttp). No emergency since the failure only happens
when forcing the parameter.
When everyone is back to work at full speed, I have good hopes that all
of these will be quickly addressed and that we'll be able to emit another
2.4 with these issues fixed.
I don't intend to produce new 2.5, 2.3 nor 2.2 right now, as I just think
that nothing indicates any of these are legitimately needed, but I may
adjust my mind depending on requests.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.4/src/
Git repository : http://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (3):
BUILD/MINOR: server: fix compilation without SSL
BUG/MINOR: backend: do not set sni on connection reuse
BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
Christopher Faulet (8):
BUG/MEDIUM: cli: Properly set stream analyzers to process one command at
a time
BUG/MINOR: server: Don't rely on last default-server to init server SSL
context
BUG/MEDIUM: resolvers: Detach query item on response error
MINOR: mux-h1: Improve H1 traces by adding info about http parsers
BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH
BUG/MINOR: cli/server: Don't crash when a server is added with a custom id
DOC: spoe: Clarify use of the event directive in spoe-message section
DOC: config: Specify %Ta is only available in HTTP mode
Emeric Brun (1):
BUG/MAJOR: segfault using multiple log forward sections.
Lukas Tribus (1):
DOC: config: retry-on list is space-delimited
William Lallemand (2):
MINOR: cli: "show version" displays the current process version
BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt
mode
Willy Tarreau (4):
CI: Github Actions: temporarily disable BoringSSL builds
BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types
IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode
MINOR: pools: work around possibly slow malloc_trim() during gc
---
