On Thu, May 30, 2024 at 08:48:29PM GMT, Theo Buehler wrote: > Does this still happen if you apply this on top (which will be a noop > once we bump the libressl version to 4.0)? > > Index: include/haproxy/quic_tls.h > --- include/haproxy/quic_tls.h.orig > +++ include/haproxy/quic_tls.h > @@ -140,7 +140,7 @@ static inline const EVP_CIPHER *tls_aead(const SSL_CIP > return EVP_aes_128_gcm(); > case TLS1_3_CK_AES_256_GCM_SHA384: > return EVP_aes_256_gcm(); > -#if !defined(OPENSSL_IS_AWSLC) && (!defined(LIBRESSL_VERSION_NUMBER) || > LIBRESSL_VERSION_NUMBER >= 0x4000000fL) > +#if !defined(OPENSSL_IS_AWSLC) > /* WT: LibreSSL has an issue with CHACHA20 running in-place till 3.9.2 > * included, but the fix is already identified and will be merged > * into next major version. Given that on machines without AES-NI >
Indeed, this gets HTTP/3 rolling. (Took quite some time testing because I don't understand how desktop browsers do HTTP/3. I'm p sure I still don't, but hey--my Grafana now loads over HTTP/3... *some times*). Thanks for the prompt reply, Theo! Diff updated with this patch. Better / correct patch comment suggestions are more than welcome. diff 74dcff6cd6dd2e62a28d3ab1da574df080129e8e 0b0ecc870da4ee36832bc2fff07632a8d7861299 commit - 74dcff6cd6dd2e62a28d3ab1da574df080129e8e commit + 0b0ecc870da4ee36832bc2fff07632a8d7861299 blob - b5cddc3eeab11bb6bf999bb5911687342fb8b1e4 blob + 4b2fc6d50a696cd7f95e51c2ced4bdc76533d65a --- net/haproxy/Makefile +++ net/haproxy/Makefile @@ -1,6 +1,6 @@ COMMENT = reliable, high performance TCP/HTTP load balancer -DISTNAME = haproxy-2.8.9 +DISTNAME = haproxy-3.0.0 CATEGORIES = net www HOMEPAGE = https://www.haproxy.org/ MAINTAINER = Daniel Jakots <[email protected]> @@ -12,19 +12,12 @@ WANTLIB += c crypto pcre2-8 pcre2-posix pthread ssl z DEBUG_PACKAGES = ${BUILD_PACKAGES} -SITES = ${HOMEPAGE}/download/2.8/src/ +SITES = ${HOMEPAGE}/download/3.0/src/ -HAPROXYCONF = ${SYSCONFDIR}/haproxy -HAPROXYSTATE = /var/haproxy -HAPROXYUID = 604 -HAPROXYGID = 604 -SUBST_VARS = HAPROXYCONF HAPROXYSTATE \ - HAPROXYUID HAPROXYGID - USE_GMAKE = Yes MAKE_FLAGS += CPU_CFLAGS="${CFLAGS}" LDFLAGS="${LDFLAGS}" MAKE_FLAGS += CC="${CC}" LD="${CC}" TARGET="openbsd" -MAKE_FLAGS += USE_OPENSSL=1 USE_PCRE2=1 USE_QUIC=1 USE_ZLIB=1 V=1 +MAKE_FLAGS += USE_OPENSSL=1 USE_PCRE2=1 USE_PROMEX=1 USE_QUIC=1 USE_ZLIB=1 V=1 MAKE_FLAGS += USE_LIBATOMIC= FAKE_FLAGS += DOCDIR="${PREFIX}/share/doc/haproxy" blob - f9c70c08d84f0653a75d3a3d505c893f4b840e9c blob + a1b3a2860f26f5acca317db26709004389ab6e51 --- net/haproxy/distinfo +++ net/haproxy/distinfo @@ -1,2 +1,2 @@ -SHA256 (haproxy-2.8.9.tar.gz) = eoIUePNvhHYH9RpR6A9PiQw3r0gR1gQ45/Y3g/Z1kv8= -SIZE (haproxy-2.8.9.tar.gz) = 4383096 +SHA256 (haproxy-3.0.0.tar.gz) = Wq2XQWIW0s2d0hLrZ0g5xAzTh/YPvEsT1+o/HlZkqBQ= +SIZE (haproxy-3.0.0.tar.gz) = 4677659 blob - a43fe95d947d035d59d2a49a4d8fbc888a10bc4d blob + 99030a2bb355b7a75851937ff393f07179241d9b --- net/haproxy/files/haproxy.cfg +++ net/haproxy/files/haproxy.cfg @@ -2,8 +2,8 @@ global log 127.0.0.1 local0 debug maxconn 1024 chroot /var/haproxy - uid 604 - gid 604 + user _haproxy + group _haproxy daemon pidfile /var/run/haproxy.pid blob - /dev/null blob + 248415d196379cd4cd6dfb260f12422c8a2aa45b (mode 644) --- /dev/null +++ net/haproxy/patches/patch-include_haproxy_quic_tls_h @@ -0,0 +1,17 @@ +-current works correctly with in-place ChaCha20-Poly1305. Without this, +some clients may receive ChaCha20-Poly1305 in the handshake but won't +be able to use it: at least curl returns "Weird server reply". To be +dropped after LibreSSL 4. + +Index: include/haproxy/quic_tls.h +--- include/haproxy/quic_tls.h.orig ++++ include/haproxy/quic_tls.h +@@ -140,7 +140,7 @@ static inline const EVP_CIPHER *tls_aead(const SSL_CIP + return EVP_aes_128_gcm(); + case TLS1_3_CK_AES_256_GCM_SHA384: + return EVP_aes_256_gcm(); +-#if !defined(OPENSSL_IS_AWSLC) && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x4000000fL) ++#if !defined(OPENSSL_IS_AWSLC) + /* WT: LibreSSL has an issue with CHACHA20 running in-place till 3.9.2 + * included, but the fix is already identified and will be merged + * into next major version. Given that on machines without AES-NI blob - 16e125964bb7859239dcd70c42d51055fa8d313e blob + 80afa917bba6891b62364c489a3583bd15a841e4 --- net/haproxy/pkg/PLIST +++ net/haproxy/pkg/PLIST @@ -1,10 +1,10 @@ -@newgroup _haproxy:${HAPROXYGID} -@newuser _haproxy:${HAPROXYUID}:_haproxy::HAProxy Daemon:/var/haproxy:/sbin/nologin +@newgroup _haproxy:604 +@newuser _haproxy:604:_haproxy::HAProxy Daemon:${LOCALSTATEDIR}/haproxy:/sbin/nologin @rcscript ${RCDIR}/haproxy @man man/man1/haproxy.1 @bin sbin/haproxy -@sample ${HAPROXYCONF}/ -@sample ${HAPROXYSTATE}/ +@sample ${SYSCONFDIR}/haproxy/ +@sample ${LOCALSTATEDIR}/haproxy/ share/doc/haproxy/ share/doc/haproxy/51Degrees-device-detection.txt share/doc/haproxy/DeviceAtlas-device-detection.txt @@ -29,7 +29,7 @@ share/examples/haproxy/ share/examples/haproxy/basic-config-edge.cfg share/examples/haproxy/content-sw-sample.cfg share/examples/haproxy/haproxy.cfg -@sample ${HAPROXYCONF}/haproxy.cfg +@sample ${SYSCONFDIR}/haproxy/haproxy.cfg share/examples/haproxy/option-http_proxy.cfg share/examples/haproxy/quick-test.cfg share/examples/haproxy/socks4.cfg blob - a12dbcca94f88c66db215d8691031ece620e5dfb blob + 7552730c88bf774e6cf73e3503887d62b69f5fea --- net/haproxy/pkg/haproxy.rc +++ net/haproxy/pkg/haproxy.rc @@ -1,7 +1,7 @@ #!/bin/ksh daemon="${TRUEPREFIX}/sbin/haproxy" -daemon_flags="-f ${HAPROXYCONF}/haproxy.cfg" +daemon_flags="-f ${SYSCONFDIR}/haproxy/haproxy.cfg" . /etc/rc.d/rc.subr
