Hi, HAProxy 3.4-dev1 was released on 2025/12/10. It added 71 new commits after version 3.4-dev0.
As usual after a release, a significant number of patches here concern minor to medium fixes, most of which will be backported. So far nothing critical but a few bugs were found to cause crashes in certain situations so we won't wait too long before issuing a 3.3. Among them an issue with the choice of SSL session that doesn't properly consider the SNI, another one regarding the choice of ALPN for check connections, some QUIC backend fixes, a possible crash in HTTP/3, an old bug from 2012 causing tunnelled streams closed by the server to be closed on both sides at once and logging an error, empty args again in the config file (this time they would trigger the error in disabled blocks via .if/.else, and a small issue in the jwt_verify converter). The rest of the changes is pretty minor: - the "quic-cc-algo" server directive allows to choose the congestion control algorithm for outgoing QUIC connections ; - the "show proc" master-CLI command is no longer limited by the output buffer size and will now be able to list many processes. - rework and unification of some SSL reg tests between SSL and QUIC: these regtests are now written for a given combination of SSL version and features, and are included from top-level reg test definitions for either SSL/TCP or QUIC, allowing to significantly increase the QUIC test coverage. - simplified alignment declarations in structures all over the code where relevant. - doc fixes and updates - a few more debugging traces. It should be pretty close to what 3.3.1 will be, so that's another reason for testing it now and reporting any remaining issue! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.4/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (6): Revert "MINOR: quic: use dynamic cc_algo on bind_conf" MINOR: quic: define quic_cc_algo as const MINOR: quic: extract cc-algo parsing in a dedicated function MINOR: quic: implement cc-algo server keyword BUG/MEDIUM: h3: do not access QCS <sd> if not allocated BUG/MEDIUM: h3: fix access to QCS <sd> definitely Christopher Faulet (13): BUG/MINOR: ssl: Don't allow to set NULL sni MEDIUM: quic: Add connection as argument when qc_new_conn() is called MINOR: ssl: Add a function to hash SNIs MINOR: ssl: Store hash of the SNI for cached TLS sessions MINOR: ssl: Compare hashes instead of SNIs when a session is cached MINOR: connection/ssl: Store the SNI hash value in the connection itself MEDIUM: tcpcheck/backend: Get the connection SNI before initializing SSL ctx BUG/MEDIUM: ssl: Don't reuse TLS session if the connection's SNI differs MEDIUM: ssl/server: No longer store the SNI of cached TLS sessions BUG/MINOR: log: Dump good %B and %U values in logs BUG/MEDIUM: http-ana: Don't close server connection on read0 in TUNNEL mode DOC: config: Fix description of the spop mode DOC: config: Improve spop mode documentation Frederic Lecaille (34): BUG/MINOR: quic-be: Missing keywords array NULL termination BUG/MINOR: quic/ssl: crash in ClientHello callback ssl traces BUG/MINOR: quic-be: handshake errors without connection stream closure MINOR: quic: Add useful debugging traces in qc_idle_timer_do_rearm() REGTESTS: ssl: Move all the SSL certificates, keys, crt-lists inside "certs" directory REGTESTS: quic/ssl: ssl/del_ssl_crt-list.vtc supported by QUIC REGTESTS: quic: dynamic_server_ssl.vtc supported by QUIC REGTESTS: quic: issuers_chain_path.vtc supported by QUIC REGTESTS: quic: new_del_ssl_cafile.vtc supported by QUIC REGTESTS: quic: ocsp_auto_update.vtc supported by QUIC REGTESTS: quic: set_ssl_bug_2265.vtc supported by QUIC MINOR: quic: avoid code duplication in TLS alert callback BUG/MINOR: quic-be: missing connection stream closure upon TLS alert to send REGTESTS: quic: set_ssl_cafile.vtc supported by QUIC REGTESTS: quic: set_ssl_cert_noext.vtc supported by QUIC REGTESTS: quic: set_ssl_cert.vtc supported by QUIC REGTESTS: quic: set_ssl_crlfile.vtc supported by QUIC REGTESTS: quic: set_ssl_server_cert.vtc supported by QUIC REGTESTS: quic: show_ssl_ocspresponse.vtc supported by QUIC REGTESTS: quic: ssl_client_auth.vtc supported by QUIC REGTESTS: quic: ssl_client_samples.vtc supported by QUIC REGTESTS: quic: ssl_default_server.vtc supported by QUIC REGTESTS: quic: new_del_ssl_crlfile.vtc supported by QUIC REGTESTS: quic: ssl_frontend_samples.vtc supported by QUIC REGTESTS: quic: ssl_server_samples.vtc supported by QUIC REGTESTS: quic: ssl_simple_crt-list.vtc supported by QUIC REGTESTS: quic: ssl_sni_auto.vtc code provision for QUIC REGTESTS: quic: ssl_curve_name.vtc supported by QUIC REGTESTS: quic: add_ssl_crt-list.vtc supported by QUIC REGTESTS: add ssl_ciphersuites.vtc (TCP & QUIC) BUG/MINOR: quic: do not set first the default QUIC curves REGTESTS: quic/ssl: Add ssl_curves_selection.vtc MINOR: ssl: Split ssl_crt-list_filters.vtc in two files by TLS version REGTESTS: quic: tls13_ssl_crt-list_filters.vtc supported by QUIC Maxime Henrion (3): CLEANUP: improvements to the alignment macros CLEANUP: use the automatic alignment feature CLEANUP: more conversions and cleanups for alignment Olivier Houchard (4): BUG/MEDIUM: ssl: Always check the ALPN after handshake MINOR: connections: Add a new CO_FL_SSL_NO_CACHED_INFO flag BUG/MEDIUM: ssl: Don't store the ALPN for check connections BUG/MEDIUM: ssl: Don't resume session for check connections Remi Tricot-Le Breton (1): BUG/MINOR: jwt: Missing "case" in switch statement William Lallemand (5): DOC: configuration: ECH support details REGTESTS: ssl enable tls12_reuse.vtc for AWS-LC REGTESTS: ssl: split tls*_reuse in stateless and stateful resume tests CLEANUP: mworker/cli: remove useless variable BUG/MINOR: mworker/cli: 'show proc' is limited by buffer size Willy Tarreau (5): BUG/MEDIUM: connection: fix "bc_settings_streams_limit" typo BUG/MEDIUM: config: ignore empty args in skipped blocks DOC: config: mention clearer that the cache's total-max-size is mandatory DOC: config: reorder the cache section's keywords MINOR: h2/trace: emit a trace of the received RST_STREAM type ---
