Hi,
HAProxy 3.3-dev3 was released on 2025/07/11. It added 80 new commits
after version 3.3-dev2.
That's too many 3s in the release, last time such a thing happened was
with 2.2-dev2 five years ago, that's 50% inflation in 5 years. Anyway.
This version addresses a number of issues affecting the HTTP client in
corner cases (handling of 1xx responses, responses received before end
of body upload etc), and a small number of QUIC-related issues (backend,
crashes and failures with OpenSSL 3.5 etc). OpenSSL 3.5.1 is now required
to properly use the native QUIC API in OpenSSL 3.5 (it changed between
the two to address some API issues).
Regarding the non-bugfix stuff, I'm seeing it spread approximately like
this:
- the jwt_verify() converter now supports taking a certificate instead
of a public key, which makes it compatible with dynamic updates. For
this, the CLI's "commit ssl cert" command now accepts certificates
without a private key.
- the dns-accept-family now defaults to "auto" as planned in 3.2, so
that machines lacking IPv6 connectivity stop learning IPv6 addresses
from the DNS by default. Of course the previous mode remains available
("ipv4,ipv6").
- stats: a new flag appears in "show stats typed", indicating whether
the considered metric is volatile ("V"), thus specific to the process,
or persistent ("P"), thus related to the service. This is in order to
progress towards the ability to support persistent counters across
reloads (stay calm, we're not there yet). For now the types are
indicated, that's all.
- the distro name is now collected during boot when available and placed
into the postmortem struct for debugging. We'll also add it to panics
with a few other info (haproxy version, kernel version) that should
help figure if a reported crash happened as reported or differently
(sometimes containers are playing with users' nerves for example).
- as planned in last announce, a warning is now emitted if a mailers
section is configured but not used, as it likely indicates an older,
non-migrated setup.
- a counter of added/freed patterns (acl/map lines) is reported in
the process' stats ("show info") in order to detect leaks that can
be caused by scripts repeatedly uploading entries while improperly
purging previous ones.
- TCP MD5 signatures are supported on listeners and servers. These can
be needed for example if you plan to place haproxy between two BGP
routers.
- more progress on the QUIC backend, automatic alpn is set, TLS version
being restricted to 1.3 only, improvement of the :scheme handling in
h3, support for dynamic servers.
- the req_ssl* sample fetch parsers now all rely on the new generic
function "smp_client_hello_parse()" that Mariam contributed a while
ago and that was finally merged!
- DeviceAtlas: the build process was improved to support installation
in custom locations, and some build hints were added in the doc.
- some build and CI updates (build-ssl detects and supports QuicTLS's
cmake build system, CI now building with QUIC on OpenSSL 3.5, added
ubuntu-24 to the CI, improved coverity scan via DEBUG_STRICT=2), and
as usual some regtests.
Also, those running reg-tests will need to update to the latest vtest2
(the instructions in the README under reg-tests are up-to-date). Commit
dc46782efa from July 4th works fine for me and addresses the QUIC failures
I was facing with an earlier version.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (3):
MINOR: cfgparse: enforce QUIC MUX compat on server line
MINOR: server: support QUIC for dynamic servers
BUG/MINOR: h3: fix https scheme request encoding for BE side
Aurelien DARRAGON (9):
MEDIUM: sink: change the sink mode type to PR_MODE_SYSLOG
MEDIUM: server: move _srv_check_proxy_mode() checks from server init to
finalize
MINOR: server: move send-proxy* incompatibility check in
_srv_check_proxy_mode()
MINOR: mailers: warn if mailers are configured but not actually used
BUG/MEDIUM: counters/server: fix server and proxy last_change mixup
MEDIUM: server: add and use a separate last_change variable for internal
use
MEDIUM: proxy: add and use a separate last_change variable for internal
use
MINOR: counters: rename last_change counter to last_state_change
MEDIUM: stats: add persistent state to typed output format
Christopher Faulet (18):
BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua
services
BUG/MEDIUM: mux-h2: Properly handle connection error during preface
sending
MINOR: proto-tcp: Add support for TCP MD5 signature for listeners and
servers
BUILD: cfgparse-tcp: Add _GNU_SOURCE for TCP_MD5SIG_MAXKEYLEN
BUG/MINOR: proto-tcp: Take care to initialized tcp_md5sig structure
BUG/MINOR: http-act: Fix parsing of the expression argument for pause
action
MINOR: proto-tcp: Register a feature to report TCP MD5 signature support
BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was
xferred
BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are
xferred
BUG/MEDIUM: http-client: Ask for more room when request data cannot be
xferred
BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX
buffer
BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode
BUG/MINOR: http-client: Reject any 101-switching-protocols response
BUG/MEDIUM: http-client: Drain the request if an early response is
received
BUG/MEDIUM: http-client: Notify applet has more data to deliver until the
EOM
MINOR: h1-htx: Add function to format an HTX message in its H1
representation
BUG/MINOR: mux-h1: Use configured error files if possible for early H1
errors
BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg
function
David Carlier (2):
BUILD/MEDIUM: deviceatlas: fix when installed in custom locations.
DOC: deviceatlas build clarifications
Frederic Lecaille (11):
BUG/MINOR: quic-be: Wrong retry_source_connection_id check
BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits
(OpenSSL 3.5 QUIC API)
BUG/MINOR: quic-be: Malformed coalesced Initial packets
MINOR: quic: Prevent QUIC backend use with the OpenSSL QUIC compatibility
module (USE_OPENSS_COMPAT)
MINOR: reg-tests: first QUIC+H3 reg tests (QUIC address validation)
MINOR: quic-be: Set the backend alpn if not set by conf
MINOR: quic-be: TLS version restriction to 1.3
MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version <
3.5.1
BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL
3.5)
REGTESTS: use two haproxy instances to distinguish the QUIC traces
Ilia Shipitsin (4):
CI: set DEBUG_STRICT=2 for coverity scan
CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0
CLEANUP: assorted typo fixes in the code, commits and doc
BUILD: adjust scripts/build-ssl.sh to modern CMake system of QuicTLS
Mariam John (1):
MINOR: ssl: Introduce new smp_client_hello_parse() function
Remi Tricot-Le Breton (11):
BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in
jwt_verify converter
DOC: Fix 'jwt_verify' converter doc
MINOR: jwt: Rename pkey to pubkey in jwt_cert_tree_entry struct
MINOR: jwt: Remove unused parameter in convert_ecdsa_sig
MAJOR: jwt: Allow certificate instead of public key in jwt_verify
converter
MINOR: ssl: Allow 'commit ssl cert' with no privkey
MINOR: ssl: Prevent delete on certificate used by jwt_verify
REGTESTS: jwt: Add test with actual certificate passed to jwt_verify
REGTESTS: jwt: Test update of certificate used in jwt_verify
DOC: 'jwt_verify' converter now supports certificates
CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h
Valentine Krasnobaeva (1):
MINOR: debug: add distro name and version in postmortem
William Lallemand (13):
MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent
AWS-LC
BUG/MINOR: httpclient: wrongly named httpproxy flag
MINOR: ssl/ocsp: stop using the flags from the httpclient CLI
MEDIUM: httpclient: split the CLI from the actual httpclient API
MEDIUM: httpclient: implement a way to use directly htx data
MINOR: httpclient/cli: add --htx option
BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle
connections
BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init()
MEDIUM: httpclient: add a Content-Length when the payload is known
CI: github: add an OpenSSL 3.5.0 job
CI: github: update the stable CI to ubuntu-24.04
CI: github: update to OpenSSL 3.5.1
CI: github: skip a ssl library version when latest is already in the list
Willy Tarreau (7):
REGTESTS: restrict execution to a single thread group
BUILD: dev/phash: remove the accidentally committed a.out file
MINOR: pattern: add a counter of added/freed patterns
MEDIUM: resolvers: switch dns-accept-family to "auto" by default
BUG/MINOR: resolvers: don't lower the case of binary DNS format
MINOR: resolvers: do not duplicate the hostname_dn field
BUG/MINOR: listener: really assign distinct IDs to shards
---
