Hi,
HAProxy 3.2.11 was released on 2026/01/29. It added 50 new commits
after version 3.2.10.
This release is pretty close to the 3.3.2. Only some pending fixes from the
3.3.1 were backported, mainly about TLS resume. Here is the list of issues
fixed by this release:
* We found an issue with the dump of the Lua state when watchdog warnings
were emitted, leading to crashes or CPU loops. "show threads" CLI
command was also affected. Because the purpose of the Lua backtrace was
to help locate Lua call places upon a panic, it is now called on panic
only. In addition, hlua_traceback() function was fixed to no longer
corrupt the stack (the root cause of the debugger issue).
* An issue was fixed on the Prometheus exporter. The servers metrics dump
was not relying on the watcher mechanism introduced in 3.0 and that
should be always used when interruptible iterations over the server list
are performed.
* Still about Lua, two issue in the Patref:add_bulk() function were fixed.
First, the yield mechanism was buggy, triggering a Lua error because the
check for the yield was misplaced. Then, arguments of the function were
not properly tested. Calling the function providing anything else than a
table led to a crash.
* On the H1 multiplexer, it was possible to fall in an infinite loop on
the response path. However, possibilities to encounter the bug were
quite limited. It only happened if the server response was intercepted
by HAProxy while the server was emitted a 1xx interim message and it was
received in same time as the final response. The issue was fixed by
properly looping on the HTX message when formatting the H1 response
staus line.
* Several issues were fixed on the SSL part. With the certificate
generation mechanism, some errors were not properly handled leading to
crashed with AWS-LC and the "CN" was not ignored when the SNI was
greater than 64 bytes leading to handshake failures. An issue with the
TLS sessions reuse was fixed. The SNI was not considered when a TLS
session was reused. Because of this issue, it was possible to inherit
from an old SNI for connection without SNI. Now, the SNI of the cached
TLS session must match the one that will be used for the new
connection.
* An issue with the parsing of log-forward options, leading to crashes,
was fixed. the "option dont-parse-log" and "option assume-rfc6587-ntf"
directives were affected.
* The "show proc" master CLI command is no longer limited by the output
buffer size and will now be able to list many processes. In addition,
the command was fixed to properly handled more than 202 processes. Still
on the master part, it was reported that the master couldn't reload
after a failed reload following a wrong configuration. It was still
possible to perform a reload manually via the master CLI, but every
signals were blocked. This was fixed by adding a task started by the
signal handler and responsible to restore the signals outside of it.
* For H2 on backend side, in some cases it was possible to continue to use
a connection till the last stream ID permitted by the server. While this
is undetectable by the server since it serves to process streams in
flight, it's forbidden by the spec and not all parts handled it
similarly in the code (some applied the client rule and others the
server one depending how they were). The main impact is that after
releasing the last allowed stream to a server, the connection was not
set back to the idle pool but wasn't killed either, and a late activity
(e.g. a shutdown) could trigger a BUG_ON() condition detecting this
inconsistency and crash the process. Only 3.3 was affected by the
BUG_ON() and it's not sure at this point whether any other effect could
have happened on older versions. But the fix is slowly backported.
* On QUIC, the ACK ECN frame parsing was fixed to avoid desynchronization
in the frames parsing code, which could lead to a connection abort due
to an invalid frame content read. And abort of unidirectional stream was
fixed to not erroneously trigger a BUG_ON().
* Since the 2.6, the TCP fast-open option (TFO) was not longer enabled on
server connection because of a wrong test on the number of connection
retries. In addition, still since the 2.6, the wrong buffer was checked,
the response one instead of the request one, also breaking the TFO. Both
issues were fixed.
* Minor issues about the configuration parsing were fixed. Among others,
the parsing of invalid expression for the "set-map" action was fixed to
not crash on deinit, the allocation failures of some pools are now
properly handled and defaults sections with the same name no longer lead
to crashes on deinit.
In addition to those fixes, The support for the Lua 5.5 was backported and
it is now possible to disable the certificates compression by setting the
new "tune.ssl.certificate-compression" global directive to "off".
Thanks everyone for your help.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.2/src/
Git repository : https://git.haproxy.org/git/haproxy-3.2.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git
Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Alexander Stephan (1):
BUG/MINOR: mworker/cli: fix show proc pagination using reload counter
Amaury Denoyelle (5):
MINOR: cfgparse: remove duplicate "force-persist" in common kw list
BUG/MEDIUM: quic: fix ACK ECN frame parsing
BUG/MINOR: proxy: free persist_rules
BUG/MEDIUM: mux-quic: prevent BUG_ON() on aborted uni stream close
BUG/MINOR: proxy: fix deinit crash on defaults with duplicate name
Aurelien DARRAGON (7):
BUG/MINOR: hlua_fcn: fix broken yield for Patref:add_bulk()
BUG/MINOR: hlua_fcn: ensure Patref:add_bulk() is given a table object
before using it
BUG/MINOR: http_act: fix deinit performed on uninitialized lf_expr in
release_http_map()
BUG/MEDIUM: promex: server iteration may rely on stale server
BUG/MEDIUM: log: parsing log-forward options may result in segfault
BUG/MEDIUM: hlua: fix invalid lua_pcall() usage in hlua_traceback()
BUG/MINOR: hlua: consume error object if ignored after a failing
lua_pcall()
Christian Ruppert (1):
REGTESTS: ssl: Fix reg-tests curve check
Christopher Faulet (11):
BUG/MEDIUM: http-ana: Properly detect client abort when forwarding
response (v2)
BUG/MEDIUM: stconn: Don't report abort from SC if read0 was already
received
MINOR: ssl: Add a function to hash SNIs
MINOR: ssl: Store hash of the SNI for cached TLS sessions
MINOR: ssl: Compare hashes instead of SNIs when a session is cached
MINOR: connection/ssl: Store the SNI hash value in the connection itself
MEDIUM: tcpcheck/backend: Get the connection SNI before initializing SSL
ctx
BUG/MEDIUM: ssl: Don't reuse TLS session if the connection's SNI differs
MEDIUM: ssl/server: No longer store the SNI of cached TLS sessions
BUG/MINOR: promex: Detach promex from the server on error dump its
metrics dump
BUG/MEDIUM: mux-h1: Skip UNUSED htx block when formating the start line
Egor Shestakov (2):
BUG/MINOR: cfgparse: fix "default" prefix parsing
DOC: reg-tests: update VTest upstream link in the starting guide
Mike Lothian (1):
MINOR: hlua: Add support for lua 5.5
Olivier Houchard (2):
MINOR: connections: Add a new CO_FL_SSL_NO_CACHED_INFO flag
BUG/MEDIUM: ssl: Don't resume session for check connections
William Lallemand (12):
BUG/MEDIUM: mworker: can't use signals after a failed reload
BUILD: ssl: strchr definition changed in C23
BUILD: tools: memchr definition changed in C23
BUG/MINOR: cfgparse: wrong section name upon error
BUG/MINOR: cli/stick-tables: argument to "show table" is optional
BUG/MEDIUM: ssl: fix error path on generate-certificates
BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than
64bytes
REGTESTS: ssl: fix generate-certificates w/ LibreSSL
MINOR: ssl: allow to disable certificate compression
BUG/MINOR: ssl: fix error message of tune.ssl.certificate-compression
CLEANUP: mworker/cli: remove useless variable
BUG/MINOR: mworker/cli: 'show proc' is limited by buffer size
Willy Tarreau (8):
BUG/MINOR: sock-inet: ignore conntrack for transparent sockets on Linux
BUG/MINOR: backend: fix the conn_retries check for TFO
BUG/MINOR: backend: inspect request not response buffer to check for TFO
DOC: config: fix the length attribute name for stick tables of type
binary / string
BUILD: sockpair: fix build issue on macOS related to variable-length
arrays
BUG/MEDIUM: mux-h2: synchronize all conditions to create a new backend
stream
BUG/MINOR: config: check capture pool creations for failures
BUG/MEDIUM: debug: only dump Lua state when panicking
--
Christopher Faulet
