Hello, The issue was fixed with these two patches in HAProxy:
https://github.com/haproxy/haproxy/commit/eb5279b15470d187061b1d7be3512ca6178eba0c https://github.com/haproxy/haproxy/commit/fbc98ebcdaefd4c024b33194640350ba0c348567 There was also an issue in AWS-LC which was fixed in https://github.com/aws/aws-lc/pull/2946, but you don't need the patch if you use the 2 previous HAProxy patches. Thanks for the report! Regards, On Mon, Jan 12, 2026 at 12:07:37PM +0100, Przemyslaw Bromber wrote: > Subject: [3.2.4][AWS-LC:1.58.1] Segmentation fault on certificate generation. > Hi. > > I just wanted to report that we encountered an issue with certificates > generation (generate-certificates option) for hostnames longer than 64 > characters. When generating a certificate for such a hostname with AWS-LC > library, haproxy crushes with segmentation fault as shown below in the > backtrace. This may be connected to the Common Name length limit which is > 64 characters. > > Fortunately hostnames in the SAN section have no this limitation. Maybe for > longer hostnames it's a good idea to put some generic hostname in CN and a > desired one in SAN section. > > Please let me know if you need any additional information from our side. > > Regards > Przemek > > GDB backtrace (details about HAProxy installation is below backtrace): > > root@hap-rnd-1a:/var/lib/haproxy# gdb /usr/sbin/haproxy > core.haproxy.3069061.1767965391 > GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1 > Copyright (C) 2022 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html > > > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > Type "show copying" and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu". > Type "show configuration" for configuration details. > For bug reporting instructions, please see: > <https://www.gnu.org/software/gdb/bugs/>. > Find the GDB manual and other documentation resources online at: > <http://www.gnu.org/software/gdb/documentation/>. > > For help, type "help". > Type "apropos word" to search for commands related to "word"... > Reading symbols from /usr/sbin/haproxy... > Reading symbols from > /usr/lib/debug/.build-id/6f/2876252e93c1a4c4505814515d851660ec0b90.debug... > > warning: Can't open file /dev/zero (deleted) during file-backed mapping > note processing > [New LWP 3069405] > [New LWP 3069061] > [New LWP 3069404] > [New LWP 3069406] > [New LWP 3069408] > [New LWP 3069403] > [New LWP 3069407] > [New LWP 3069409] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". > Core was generated by `/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p > /var/run/haproxy.pid -D -sf 30'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 0x00007f7479af97a3 in SSL_set_SSL_CTX () from > /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so > [Current thread is 1 (Thread 0x7f73deea5640 (LWP 3069405))] > (gdb) bt > #0 0x00007f7479af97a3 in SSL_set_SSL_CTX () from > /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so > #1 0x000055809203a615 in ssl_sock_generate_certificate ( > servername=0x7f73d40f5840 > "dsfadsfdssdfgsfdgsdfgsdfrargsdfgsdffdsgdsfgsdf.przemek.test.local", > bind_conf=0x5580f60402c0, ssl=ssl@entry=0x7f73d4108848) at > src/ssl_gencert.c:357 > #2 0x000055809203dcb2 in ssl_sock_switchctx_cbk (ctx=<optimized out>) at > src/ssl_clienthello.c:438 > #3 0x00007f7479ae14c6 in bssl::ssl_server_handshake(bssl::SSL_HANDSHAKE*) > () > from /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so > #4 0x00007f7479adb828 in bssl::ssl_run_handshake(bssl::SSL_HANDSHAKE*, > bool*) () > from /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so > #5 0x00007f7479afa67a in SSL_do_handshake () from > /usr/lib/haproxy/awslc_v1.58.1/lib/libssl.so > #6 0x0000558092012669 in ssl_sock_handshake (flag=134217728, > conn=<optimized out>) at src/ssl_sock.c:5425 > #7 ssl_sock_io_cb (t=0x7f73d41025d0, context=0x7f73d4102a70, > state=<optimized out>) at src/ssl_sock.c:5795 > #8 0x00005580922c8aa8 in run_tasks_from_lists > (budgets=budgets@entry=0x7f73dee99ee0) > at src/task.c:648 > #9 0x00005580922c92af in process_runnable_tasks () at src/task.c:889 > #10 0x0000558092238472 in run_poll_loop () at src/haproxy.c:2851 > #11 0x0000558092238b29 in run_thread_poll_loop (data=<optimized out>) at > src/haproxy.c:3067 > #12 0x00007f747937eac3 in start_thread (arg=<optimized out>) at > ./nptl/pthread_create.c:442 > #13 0x00007f74794108c0 in clone3 () at > ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 > (gdb) > > > More details about our HAProy installation: > > > root@hap-rnd:/var/lib/haproxy# haproxy -vv > HAProxy version 3.2.4-98813a1 2025/08/13 - https://haproxy.org/ > Status: long-term supported branch - will stop receiving fixes around Q2 > 2030. > Known bugs: http://www.haproxy.org/bugs/bugs-3.2.4.html > Running on: Linux 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 > UTC 2025 x86_64 > Build options : > TARGET = linux-glibc > CC = cc > CFLAGS = -O2 -g -fwrapv -DMAX_SESS_STKCTR=12 > OPTIONS = USE_OPENSSL_AWSLC=1 USE_LUA=1 USE_QUIC=1 USE_PROMEX=1 > USE_PCRE2=1 USE_PCRE2_JIT=1 > DEBUG = > > Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY > +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE > -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH > -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL +OPENSSL_AWSLC > -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL > -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT +RT +SLZ > +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL > -ZLIB +ACME > > Default settings : > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, > default=3). > Built with SSL library version : OpenSSL 1.1.1 (compatible; AWS-LC 1.58.1) > Running on SSL library version : AWS-LC 1.58.1 > SSL library supports TLS extensions : yes > SSL library supports SNI : yes > SSL library FIPS mode : no > SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 > QUIC: connection socket-owner mode support : yes > QUIC: GSO emission support : yes > Built with Lua version : Lua 5.4.6 > Built with the Prometheus exporter as a service > Built with network namespace support. > Built with libslz for stateless compression. > Compression algorithms supported : identity("identity"), > deflate("deflate"), raw-deflate("deflate"), gzip("gzip") > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > Built with PCRE2 version : 10.42 2022-12-11 > PCRE2 library supports JIT : yes > Encrypted password support via crypt(3): yes > Built with gcc compiler version 11.2.0 > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Available multiplexer protocols : > (protocols marked as <default> cannot be specified using 'proto' keyword) > quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED > h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG > <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX > h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG > fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG > <default> : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG > spop : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG > <default> : mode=TCP side=FE|BE mux=PASS flags= > none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG > > Available services : prometheus-exporter > Available filters : > [BWLIM] bwlim-in > [BWLIM] bwlim-out > [CACHE] cache > [COMP] compression > [FCGI] fcgi-app > [SPOE] spoe > [TRACE] trace -- William Lallemand
