Hi. I just wanted to report that we encountered an issue with certificates generation (generate-certificates option) for hostnames longer than 64 characters. When generating a certificate for such a hostname with AWS-LC library, haproxy crushes with segmentation fault as shown below in the backtrace. This may be connected to the Common Name length limit which is 64 characters.
Fortunately hostnames in the SAN section have no this limitation. Maybe for longer hostnames it's a good idea to put some generic hostname in CN and a desired one in SAN section. Please let me know if you need any additional information from our side. Regards Przemek GDB backtrace (details about HAProxy installation is below backtrace): root@hap-rnd-1a:/var/lib/haproxy# gdb /usr/sbin/haproxy core.haproxy.3069061.1767965391 GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html > This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/sbin/haproxy... Reading symbols from /usr/lib/debug/.build-id/6f/2876252e93c1a4c4505814515d851660ec0b90.debug... warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing [New LWP 3069405] [New LWP 3069061] [New LWP 3069404] [New LWP 3069406] [New LWP 3069408] [New LWP 3069403] [New LWP 3069407] [New LWP 3069409] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 30'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f7479af97a3 in SSL_set_SSL_CTX () from /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so [Current thread is 1 (Thread 0x7f73deea5640 (LWP 3069405))] (gdb) bt #0 0x00007f7479af97a3 in SSL_set_SSL_CTX () from /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so #1 0x000055809203a615 in ssl_sock_generate_certificate ( servername=0x7f73d40f5840 "dsfadsfdssdfgsfdgsdfgsdfrargsdfgsdffdsgdsfgsdf.przemek.test.local", bind_conf=0x5580f60402c0, ssl=ssl@entry=0x7f73d4108848) at src/ssl_gencert.c:357 #2 0x000055809203dcb2 in ssl_sock_switchctx_cbk (ctx=<optimized out>) at src/ssl_clienthello.c:438 #3 0x00007f7479ae14c6 in bssl::ssl_server_handshake(bssl::SSL_HANDSHAKE*) () from /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so #4 0x00007f7479adb828 in bssl::ssl_run_handshake(bssl::SSL_HANDSHAKE*, bool*) () from /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so #5 0x00007f7479afa67a in SSL_do_handshake () from /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so #6 0x0000558092012669 in ssl_sock_handshake (flag=134217728, conn=<optimized out>) at src/ssl_sock.c:5425 #7 ssl_sock_io_cb (t=0x7f73d41025d0, context=0x7f73d4102a70, state=<optimized out>) at src/ssl_sock.c:5795 #8 0x00005580922c8aa8 in run_tasks_from_lists (budgets=budgets@entry=0x7f73dee99ee0) at src/task.c:648 #9 0x00005580922c92af in process_runnable_tasks () at src/task.c:889 #10 0x0000558092238472 in run_poll_loop () at src/haproxy.c:2851 #11 0x0000558092238b29 in run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:3067 #12 0x00007f747937eac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #13 0x00007f74794108c0 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 (gdb) More details about our HAProy installation: root@hap-rnd:/var/lib/haproxy# haproxy -vv HAProxy version 3.2.4-98813a1 2025/08/13 - https://haproxy.org/ Status: long-term supported branch - will stop receiving fixes around Q2 2030. Known bugs: http://www.haproxy.org/bugs/bugs-3.2.4.html Running on: Linux 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 Build options : TARGET = linux-glibc CC = cc CFLAGS = -O2 -g -fwrapv -DMAX_SESS_STKCTR=12 OPTIONS = USE_OPENSSL_AWSLC=1 USE_LUA=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 DEBUG = Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL +OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT +RT +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB +ACME Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=3). Built with SSL library version : OpenSSL 1.1.1 (compatible; AWS-LC 1.58.1) Running on SSL library version : AWS-LC 1.58.1 SSL library supports TLS extensions : yes SSL library supports SNI : yes SSL library FIPS mode : no SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 QUIC: connection socket-owner mode support : yes QUIC: GSO emission support : yes Built with Lua version : Lua 5.4.6 Built with the Prometheus exporter as a service Built with network namespace support. Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.42 2022-12-11 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 11.2.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG <default> : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG spop : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG <default> : mode=TCP side=FE|BE mux=PASS flags= none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG Available services : prometheus-exporter Available filters : [BWLIM] bwlim-in [BWLIM] bwlim-out [CACHE] cache [COMP] compression [FCGI] fcgi-app [SPOE] spoe [TRACE] trace
