Hi,
HAProxy 3.4-dev11 was released on 2026/05/08. It added 100 new commits
after version 3.4-dev10.
50 bugs were fixed again. It's still more than I would like to see at
this period, but on the other hand some of them were old ones reported
along AI-assisted reviews, so instead I'm seeing them as good news about
stuff that won't have to be fixed later.
There are still some non-trivial pending ones. One of them is the attempt
to fix a risk of master socket starvation in case of unresponsive worker,
that was discussed over the last two weeks at least with Alexander who
proposed a fix which we didn't feel super comfortable with, and for which
a much simpler one was merged (set the server-fin timeout on the master-
worker sockets). But it turns out that keywords sent there are always
immediately followed by a shutdown which enables this timeout, so that
broke a few commands like the reload which reports error for long restarts.
We had a better idea (disable server-fin for applets) but that wouldn't
fix the possible effects of the keyword on other commands, so for now we've
reverted it to buy more time to consider a more durable solution. I suspect
that we don't need the shutdown anymore after the keywords and that we could
end up with an elegant solution, but it still deserves analysis and I didn't
want to rush a last-minute fix.
Among the visible changes since -dev10, I can count:
- move of OpenTelemetry to its own repository: we figured that the code
is still young and will inevitably have to receive a number of patches
at the beginning at least to adapt to distros not currently covered,
and for non-x86 platforms. The opentel lib has an amazing number of
dependencies and it promises to demand some sustained efforts during the
initial period, and we didn't see how to reconciliate the need of users
to get build fixes/updates with an LTS haproxy version that's not expected
to move fast. Also, distros will not be able to ship this at the beginning.
So the addon was moved to its own repo, aside the library's C wrapper
which it already depends on, and this will fluidify updates of the addon
without having to wait too long for new haproxy releases:
https://github.com/haproxytech/haproxy-opentelemetry
The build procedure was updated, it's now basically:
make ... EXTRA_MAKE=/path/to/haproxy-opentelemetry
And the rest doesn't change.
- some QUIC code was reworked a bit. First, the shutdown code from the
stream layer was made a bit more flexible to better match what's done
in other muxes and leave more rope to deal with future bugs in that
area. Second, the listener-based RX code was reworked to use a lockless
rink instead of an mt_list to redispatch incoming datagrams to other
threads. This is mainly used as a fallback for when the socket owner
is the shared listener, but we know it's being used at various places
and was triggering the watchdog under high loads. Now it shouldn't
anymore.
- the JWE code now supports specifying the list of supported algorithms
and disables RSA1_5 by default since it's deprecated due to being
sensitive to timing attacks. JWS now supports HMAC fod signing.
- the code of "new/set/commit ssl sert" was refactored for better
maintenance.
- The H1 mux will now return a "405 method not allowed" when facing an
H2 preface while the H2 upgrade is disabled, instead of a 400, this is
cleaner and more logical.
- acme now supports External Account Binding (EAB). I seem to understand
this is allows to use an account from another service to issue
certificates.
- quite a number of cleanups in code and error messages (thanks for that), and
the usual CI & regtest updates.
There are still quite a bunch of low-importance cleanups pending, such
as revisiting places where an out-of-memory condition can leave in error
without releasing some pre-allocated variables, but quite frankly given
that such errors never trigger in production, I prefer that we keep these
for the long term and focus more on what improves the quality and ease of
maintenance of 3.4 at the date of release.
There are still some reviews pending, one being a series to clean up the
LB algos registration code (which is horrible and never changed over the
last two decades, often causing stupid bugs or difficulties when adding
new algos because special cases are made at various places). I also need
to recheck my branches with "almost done" stuff that was interrupted by
bug reports. I remember starting some work on the ability to disable
traces at build time for low-footprint environments (around 10% code
size reduction), and dynamic h2 stream adjustments based on existing
ones (currently only the run queue size is considered). If they're about
ready, they could be nice additions for users on the opposite side of
the spectrum. It could probably also make sense to have a new option to
disable H2 support, as it probably is the only large code base that cannot
be disabled (Lua, QUIC, SSL, even threading can be disabled). Those who
don't enable SSL are probably not interested in H2 either. We'll see
depending on how the rest goes.
Overall I'm currently pretty satisfied with the quality of what we have,
and am confident that we could have a great 3.4 release. We'll how long
it lasts before 3.4.1, and the goal of the current work is to extend that
time.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.4/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.4/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
OpenTelemetry : https://github.com/haproxytech/haproxy-opentelemetry
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Alexander Stephan (1):
BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect
Amaury Denoyelle (12):
MEDIUM: mux-quic: extend shut to app proto layer
MINOR: h3/hq_interop: implement stream reset on shut abort/kill-conn
BUG/MINOR: quic: fix buffer overflow with sockaddr_in46
BUG/MINOR: quic: fix trace crash on datagram receive
MINOR: quic: fix trace spacing when datagram is displayed
MINOR: mux_quic: reset stream after app shutdown for HTTP/0.9
MINOR: mux_quic: do not perform unnecessary timeout handling on BE side
BUG/MEDIUM: mux_quic: adjust qcc_is_dead() to account detached streams
MINOR: mux_quic: simplify MUX_CTL_GET_NBSTRM
BUG/MINOR: mux_quic: fix max stream ID reuse estimation
MINOR: mux_quic: release BE conns if reuse definitely blocked
BUG/MINOR: mux_quic: refresh timeout only if I/O performed
Christopher Faulet (25):
BUG/MINOR: tcpcheck: Properly report error for http health-checks
CLEANUP: resolvers: Remove duplicated line when resolvers proxy is
initialized
BUG/MINOR: resolvers: Free new requester on error when linking a
resolution
BUG/MINOR: resolvers: Fix lookup for a hostname in the state-file tree
BUG/MINOR: resolvers: Free opts on parse error in
resolv_parse_do_resolve()
CLEANUP: http-fetch: Remove duplcated return statement in
smp_fetch_stver()
CLEANUP: http-fetch: Adjust smp_fetch_url32_src() comment
CLEANUP: http-fetch: Fix indentation of sample_fetch_keywords
BUG/MINOR: http-fetch: Fix http_auth_bearer() when custom header is used
BUG/MEDIUM: h1_htx: Remove reverved block on error during contig chunks
parsing
CLEANUP: haterm: Remove duplicated bloc to know if haterm must drain
BUG/MINOR: haterm: Immediately report error when draining the request
CLEANUP: haterm: Remove useless IS_HTX_SC() test
BUG/MINOR: haterm: Fix a possible integer overflow on the request body
length
BUG/MEDIUM: haterm: Subscribe for receives until request was fully drained
BUG/MINOR: haterm: Don't set HTX_FL_EOM flag on 100-Continue responses
BUG/MEDIUM: haterm: Properly handle end of request and end of response
BUG/MEDIUM: haterm: Properly handle client timeout
BUG/MINOR: haterm: Fix condition to use direct data forwarding
BUG/MINOR: haterm: Report a 400-bad-request error on receive error
DEBUG: haterm: Add hstream flags in the trace messages
MINOR: haterm: Remove now useless req_body field from hstream
MEDIUM: mux-h1: Return an error on h2 upgrade attempts if not allowed
BUG/MEDIUM: mux-h2: Properly consume padding for DATA frames
REGTESTS: Fix h1_to_h2_upgrade.vtc to force h2 on first bind line
Maxime Henrion (6):
MINOR: add an MPSC ring buffer implementation
OPTIM: quic: rework the QUIC RX code
MINOR: quic: store the DCID as an offset
OPTIM: quic: reduce the size of struct quic_dgram
BUG/MINOR: quic: handle cases where we don't have an address
MINOR: cli: allow specifying a tgid with show fd
Mia Kanashi (6):
BUG/MINOR: acme: contact mail should be optional, don't pass ToS bool
MEDIUM: tools: read_line_to_trash() handle empty files without \n
MINOR: jws: support HMAC in jws_b64_protected(), make nonce optional
MINOR: jws: introduce jws_b64_hmac_signature() function for HMAC signing
MINOR: acme: implement EAB - external account binding
MINOR: acme: allow specifying custom MAC alg for EAB
Miroslav Zagorac (1):
BUILD: otel: removed USE_OTEL, addon is now built via EXTRA_MAKE
Olivier Houchard (2):
BUG/MINOR: ssl: Use the sequence number with kTLS and TLS 1.2
BUG/MEDIUM: jwe: Fix jwt.decrypt_alg_list to work correctly
Remi Tricot-Le Breton (6):
MINOR: ssl: Export 'current_crtstore_name'
MINOR: ssl: Factorize code from "new/set ssl cert" CLI command
MINOR: ssl: Factorize ckch instance rebuild process
MEDIUM: ssl: Refactorize "commit ssl cert"
MINOR: jwe: Add option to enable/disable algorithms or encryption
algorithms for jwt_decrypt
MINOR: jwe: Disable 'RSA1_5' algorithm by default in jwt_decrypt
converters
William Lallemand (12):
BUG/MEDIUM: acme: fix segfault on newOrder with empty authorizations
BUG/MINOR: acme: skip auth/challenge steps when newOrder returns a
certificate
CI: github: add DEBUG_STRICT=2 to ASAN jobs
BUG/MEDIUM: acme: fix stalled renewal when opportunistic DNS check fails
BUILD: add an EXTRA_MAKE option to build addons easily
CLEANUP: otel: move opentelemetry outside haproxy sources
DOC: acme: document missing acme-vars and provider-name keywords
BUG/MEDIUM: ssl/sample: check output buffer size in aes_cbc_enc converter
BUG/MEDIUM: mworker/cli: fix user and operator permission via @@<pid> in
master CLI
BUG/MINOR: mworker/cli: check ci_insert() return value in
pcli_parse_request()
BUILD: use Makefile.mk instead of Makefile.inc in EXTRA_MAKE
DOC: acme: EAB is now supported
Willy Tarreau (29):
BUG/MINOR: sink: do not free existing sinks on allocation error
CLEANUP: net_helper: fix incorrect const pointers in writev_n16()
BUG/MINOR: vars: make parse_store() return error on var_set() failure
BUG/MINOR: vars: don't store the variable twice with set-var-fmt
BUG/MINOR: vars: only print first invalid char in fill_desc()
BUG/MINOR: hpack: validate idx > 0 in hpack_valid_idx()
BUG/MINOR: acl: fix a possible arg corruption in smp_fetch_acl_parse()
BUG/MINOR: map: do not leak a map descriptor on load error
CLEANUP: map/cli: fix some map-related help messages
BUG/MINOR: pattern: release the reference on failure to load from file
CLEANUP: acl: remove duplicate test in parse_acl_expr() and unused
variable
CLEANUP: mux-h2: remove the outdated condition to release h2c on timeout
BUG/MEDIUM: mux-h2: fix the body_len to check when parsing request
trailers
BUG/MAJOR: mux-h2: preset MSGF_BODY_CL on H2_SF_DATA_CLEN in
h2c_dec_hdrs()
DOC: otel: update the filter's status and URL in the docs
BUG/MINOR: dns: always validate the source address in responses
BUG/MAJOR: net_helper: also fix tcp_options_list for OOB write loop
BUG/MAJOR: http-ana: fix private session retrieval on NTLM
REGTESTS: add a regtest to validate various NTLM transitions
REGTESTS: http-messaging: always send RFC8441 client settings to use ext
connect
BUG/MINOR: h2: add decoding for :protocol in traces
BUG/MINOR: mux-h2: condition the processing of 8441 extension to global
setting
MINOR: mux-h2: add a new message flag to indicate ext connect support
BUG/MINOR: h2: only accept :protocol with extended CONNECT
BUG/MINOR: http_fetch: Check return values of unchecked buffer operations
Revert "BUG/MEDIUM: cli: fix master CLI connection slot leak on client
disconnect"
Revert "BUG/MINOR: mux-h2: condition the processing of 8441 extension to
global setting"
BUG/MEDIUM: mux-h2: fix the detection of the ext connect support
BUG/MEDIUM: stick-table: properly check permissions on CLI's set/clear cmd
---
