Hi William, thanks again for the PoC you referenced in the GitHub issue. This would solve the use case for us and would fix the ca-cert editing / updating feature introduced in HAProxy 2.5.
Can we support further with the development, be it with code or testing, to get from this PoC to a full fix in one of next release streams? Thanks and kind regards, Alex On 29. Jul 2022, at 14:16, William Lallemand <[email protected]<mailto:[email protected]>> wrote: On Tue, Jul 26, 2022 at 03:04:41PM +0000, Lais, Alexander wrote: Dear all, We are now using the new feature of adding CA files dynamically via the stats / admin socket. Assuming that the CA file does not exist yet, our understanding is that we: 1. Create a CA file (new ssl ca-file customer-cas.pem) 2. Set the content of the CA file with payload notation; "set ssl ca-file customer-cas.pem <<\n[a bunch of PEM blocks]\n” 3. Commit the CA file (commit ssl ca-file customer-cas.pem) In step 2 we are reaching the limit of the global buffer size (defined via tune.bufsize, ours is tuned to ca. 71k, allowing for a comfortable 64k of headers). Some of the CA files that we want to add are larger than this buffer and are not properly processed by the CLI. It is understandable that the CLI socket needs some buffer and that this buffer is limited. That said, reading the CA files data from disk does not pose any (perceivable) size limit. We recently implemented a dynamic update to avoid having to reload the HAProxy process whenever there was a change, and ran into this issue. We’ve added a feature request on GitHub: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fhaproxy%2Fhaproxy%2Fissues%2F1805&data=05%7C01%7Calexander.lais%40sap.com%7C0986b1c722f44d7bafef08da715c1cda%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C637946937685278767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2xzKgFUlVDTHADiLet%2BO0YKYlkyHrp%2B6CQIqVHlTICs%3D&reserved=0 This e-mail is to ask whether maybe we have overlooked something in terms of configuration possibilities, either for the socket or on how to use the CLI for creating ca-files? You are indeed reaching a limitation of the current system, I'll reply directly on your feature request. Thanks, -- William Lallemand
