Re: Buffer limits when adding a large number of CA certs into one ca-file via socket
Dear William, Thank you. We will adjust our planning accordingly. Kind regards, Alex > On 16. Aug 2022, at 15:24, William Lallemand wrote: > > On Tue, Aug 16, 2022 at 11:16:43AM +, Lais, Alexander wrote: >> Hi William, >> >> Thank you! I figured you were on holidays. A lot of our team are as well. >> >> Do you see this being back ported to 2.5 / 2.6 (LTS) as well? > > Unfortunately we usually don't backport this kind of features as this is > an API change and could break things. > The stable branches are meant to be maintenance only. > > Also it will probably need some adjustments and new keywords to remove a > specific index in the file and that kind of things. > > -- > William Lallemand
Re: Buffer limits when adding a large number of CA certs into one ca-file via socket
On Tue, Aug 16, 2022 at 11:16:43AM +, Lais, Alexander wrote: > Hi William, > > Thank you! I figured you were on holidays. A lot of our team are as well. > > Do you see this being back ported to 2.5 / 2.6 (LTS) as well? Unfortunately we usually don't backport this kind of features as this is an API change and could break things. The stable branches are meant to be maintenance only. Also it will probably need some adjustments and new keywords to remove a specific index in the file and that kind of things. -- William Lallemand
Re: Buffer limits when adding a large number of CA certs into one ca-file via socket
Hi William, Thank you! I figured you were on holidays. A lot of our team are as well. Do you see this being back ported to 2.5 / 2.6 (LTS) as well? Thanks and kind regards, Alex > On 16. Aug 2022, at 11:07, William Lallemand wrote: > > On Thu, Aug 04, 2022 at 11:57:16AM +, Lais, Alexander wrote: >> Hi William, >> >> thanks again for the PoC you referenced in the GitHub issue. >> This would solve the use case for us and would fix the ca-cert editing / >> updating feature introduced in HAProxy 2.5. >> >> Can we support further with the development, be it with code or testing, to >> get from this PoC to a full fix in one of next release streams? >> >> Thanks and kind regards, >> Alex >> > Hello Alex, > > Sorry for the late reply, I was in vacation for a few days. > > I'm going to finish the development and tests for the feature so this > could be integrated for the next 2.7 major version. > > Regards, > > -- > William Lallemand
Re: Buffer limits when adding a large number of CA certs into one ca-file via socket
On Thu, Aug 04, 2022 at 11:57:16AM +, Lais, Alexander wrote: > Hi William, > > thanks again for the PoC you referenced in the GitHub issue. > This would solve the use case for us and would fix the ca-cert editing / > updating feature introduced in HAProxy 2.5. > > Can we support further with the development, be it with code or testing, to > get from this PoC to a full fix in one of next release streams? > > Thanks and kind regards, > Alex > Hello Alex, Sorry for the late reply, I was in vacation for a few days. I'm going to finish the development and tests for the feature so this could be integrated for the next 2.7 major version. Regards, -- William Lallemand
Re: Buffer limits when adding a large number of CA certs into one ca-file via socket
On Tue, Jul 26, 2022 at 03:04:41PM +, Lais, Alexander wrote: > Dear all, > > We are now using the new feature of adding CA files dynamically via the stats > / admin socket. > > Assuming that the CA file does not exist yet, our understanding is that we: > > 1. Create a CA file (new ssl ca-file customer-cas.pem) > > 2. Set the content of the CA file with payload notation; > "set ssl ca-file customer-cas.pem <<\n[a bunch of PEM blocks]\n” > > 3. Commit the CA file (commit ssl ca-file customer-cas.pem) > > In step 2 we are reaching the limit of the global buffer size (defined via > tune.bufsize, ours is tuned to ca. 71k, allowing for a comfortable 64k of > headers). > Some of the CA files that we want to add are larger than this buffer and are > not properly processed by the CLI. > > It is understandable that the CLI socket needs some buffer and that this > buffer is limited. > That said, reading the CA files data from disk does not pose any > (perceivable) size limit. We recently implemented a dynamic update to avoid > having to reload the HAProxy process whenever there was a change, and ran > into this issue. > > We’ve added a feature request on GitHub: > https://github.com/haproxy/haproxy/issues/1805 > > This e-mail is to ask whether maybe we have overlooked something in terms of > configuration possibilities, either for the socket or on how to use the CLI > for creating ca-files? > You are indeed reaching a limitation of the current system, I'll reply directly on your feature request. Thanks, -- William Lallemand
