HAProxy 3.0.1 was released on 2024/06/10. It added 23 new commits
after version 3.0.0.

This release fixed the usual bugs that we missed before emitting the 3.0.0.

The first one, in the H1 multiplexer, is pretty annoying. It was possible to
truncate the first 10 bytes of the first chunk of a chunk-encoded message
when the zero-copy data forwarding was in-use, resulting to a malformed
message. It was because of a double bug, a flag not properly set and a
reserved area not respected when data was copied.

The second one is a subtle bug about the zero-copy data forwarding when the
stats applet is requested in QUIC/H3. The response forwarding could be
blocked because, in QUIC, the Tx buffer may be almost full with already sent
data, waiting to be acknowledged. In that case, a blocked transfer is not
restarted because there is no sending event. To fix the issue, a consumer
can now choose to unblock the zero-copy data forwarding while the producer
request more room to proceed.

Some flags set on interim responses (100-Continue for instance) were still
considered when the final response was processed. It was an issue for the H2
multiplexer on frontend side that reported a protocol error for responses
with a payload. To fix the issue, we stop to explicitly state interim
responses are bodyless. It is the case by definition, no reason to set a

On SSL, an old hidden bug was fixed in the ClientHello callback function
responsible to select a certificate based on the signature algorithms and
the ciphers sent by the client. When a client was announcing both ECDSA and
RSA capabilities with ECDSA ciphers that were not available on HAProxy side
and RSA ciphers that were compatibles, the ECDSA certificate was erroneously
used, resulting in a "no shared cipher" error. To fix the issue, we now take
care at least one ECDSA cipher is available on both sides. Otherwise, we
properly fallback on the RSA certificate.

Still on SSL, but specifically with WolfSSL library, The ClientHello
callback function was not behaving correctly with TLSv1.2. In TLSv1.2, the
cipher is used to select the authentication algorithm (ECDSA or RSA). But
the client can send a signature algorithm. While in TLSv1.3, the
authentication is not part of the ciphersuites. It is selected using the
signature algorithm. The bug was that the signature algorithm in TLSv1.2 was
overwritting the auth that was selected using the ciphers.

William Manley fixed a 3.0 regression on the H1 multiplexer. The condition
to perform clean or dirty shutdowns was inverted. Thus connection was not
closed with a TCP reset when it was expected. In his case, this caused

Few minor bugs were fixed on QUIC. A incorrect computation was performed
when encoding a STREAM frame in a single packet leading to datagrams smaller
than expected, which is suboptimal for bandwidth. And extra latency could be
experienced when sending temporary errors (or even a complete freeze in the
worst scenario) because the sending function was not called if there was
nothing new to emit, preventing the Tx buffer to be purged until new frames
were finally available. Finally a theoretical crash was fixed because of a
null-deref on the idle timer task. It was only experienced using GDB to
interrupt HAProxy longer than the idle timeout. It is highly unlikely to
experience it on production.

Few minor bugs were also fixed on LUA. Some lua functions to report errors
were used at some places where a longjump was not expected. Our own
functions are now used.

When the "httpcheck send-state" option was disabled during the configuration
validity check, the corresponding flag was removed on the wrong
bitfield. Because of this bug, "srvtcpka" option was disabled instead. It is
a pretty old bug but both options being so minor, nobody ever faced it. It
is now fixed.

Finally, a possible null-deref was fixed in env_expand() function on
out-of-memory and an example about the use of crt-store load parameters in a
crt-list was added in the configuration manual.

Thanks to all very first tester of 3.0. The 3.0.0 was not so bad. However,
everyone who deployed the 3.0.0 are invited to upgrade to 3.0.1 to benefit
from the H1 multiplexer fixes.

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/3.0/src/
   Git repository   : https://git.haproxy.org/git/haproxy-3.0.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-3.0.git
   Changelog        : https://www.haproxy.org/download/3.0/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (3):
      BUG/MINOR: quic: prevent crash on qc_kill_conn()
      BUG/MINOR: quic: fix computed length of emitted STREAM frames
      BUG/MINOR: quic: ensure Tx buf is always purged

Aurelien DARRAGON (7):
      BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
      CLEANUP: hlua: use hlua_pusherror() where relevant
      BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
      BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
      BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
      BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
      CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()

Christopher Faulet (6):
      BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless
      MEDIUM: stconn: Be able to unblock zero-copy data forwarding from 
      BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be 
      BUG/MEDIUM: mux-quic: Don't unblock zero-copy fwding if blocked during 
      BUG/MAJOR: mux-h1:  Properly copy chunked input data during zero-copy nego
      BUG/MINOR: mux-h1: Use the right variable to set NEGO_FF_FL_EXACT_SIZE 

William Lallemand (3):
      DOC: configuration: add an example for keywords from crt-store
      BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA 
      BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL

William Manley (1):
      BUG/MEDIUM: stconn/mux-h1: Fix suspect change causing timeouts

Willy Tarreau (3):
      BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state 
      BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
      BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory

Christopher Faulet

Reply via email to