Re: [PATCH] support Openssl 1.1.1 early callback API for HS
Hi Willy, > Le 5 sept. 2017 à 10:11, Willy Tarreaua écrit : > > Hi Manu, > > On Mon, Sep 04, 2017 at 04:39:45PM +0200, Emmanuel Hocdet wrote: >> Hi Emeric, Christopher >> >> If you can review when you have time. (3) for Christopher. >> >> This patches allows to support native multicert selection (RSA/ECDSA) and >> ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the >> only >> one to support this until this patch). >> >> patches: >> 1) Convert BoringSSL api call (CBS) to ssl-lib independent code. >>This is the biggest part and only depend on BoringSSL build (until 2). >> >> 2) support openssl 1.1.1 early callback API. It mimic BoringSSL api, and >> this >> is a good news (small patch). >> Do we want to push code for openssl 1.1.1 (dev) in haproxy (dev) now? > > I suspect it will be mandatory in order to support TLS early-data (0-RTT). > So I think it will be nice to have it before the release. However given that > both Christopher and Emeric are heavily loaded on the multi-threading part, > I suggest that we postpone the patchset review until the multi-thread stuff > gets merged. As you say, the patch is small so it will be easy to review and > apply, and/or revert in case of issues so it's not a big deal to merge it > late in the cycle. It will be mandatory to avoid unexpected behavior (see notes on openssl 1.1.1 API doc), as I have noticed with boringssl before implement early callback. And yes, early-data should need it and will work per certificate (i already tested it with boringssl). Encouraging Emeric and Christopher for the multithreading part! ++ Manu
AWS ELB with HA proxy showing 5XX errors
I want to ensure if there is any IP change of AWS ELB it should not give any 5XX, 503 or affect the production site. In order to solve it following configuration changes made in haproxy.cfg. Please advise if there is any change require in the following configuration. Does it required two nameservers or one is fine ? If it requires two name servers then which is advisable. I want to ensure if there is any IP change of the ELB it should detect it immediately and send the traffic to the ELB. resolvers myresolver nameserver dns1 8.8.8.8:53 resolve_retries 3 timeout retry 1s hold valid 10s backend mybackend server server1 internal-testinelbtomcat-193184.ap-southeast-1.elb. amazonaws.com:8080 check resolvers myresolver I have some queries as well. Will above configuration slow down request - response or site performance ?
Re: regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"
On Wed, Sep 06, 2017 at 01:10:26PM +0200, Emmanuel Hocdet wrote: > Hi, > > server configuration now break with: > > cfg sample: > listen tls > [...] > server bla 127.0.0.1:8080 > > [ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server > bla' : no method found to resolve address '(null)' > [ALERT] 248/130258 (21960) : Failed to initialize server(s) addr. G Thanks Manu. I think that after 1.8 we'll declare it illegal to introduce new bugs. Surely this will help... oh well, it may prevent me from approaching the keyboard :-/ Nenad, could you please have a look, since it was meant to fix another issue ? Thanks, Willy
Re: regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"
Hello Willy, On 9/6/2017 2:03 PM, Willy Tarreau wrote: On Wed, Sep 06, 2017 at 01:10:26PM +0200, Emmanuel Hocdet wrote: Hi, server configuration now break with: cfg sample: listen tls [...] server bla 127.0.0.1:8080 [ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server bla' : no method found to resolve address '(null)' [ALERT] 248/130258 (21960) : Failed to initialize server(s) addr. G Thanks Manu. I think that after 1.8 we'll declare it illegal to introduce new bugs. Surely this will help... oh well, it may prevent me from approaching the keyboard :-/ Nenad, could you please have a look, since it was meant to fix another issue ? Can you please revert this patch? It's not a good way to fix the issue we were experiencing before. It will need a bigger rewrite, because the logic in srv_iterate_initaddr needs to be changed. Thanks, nenad Thanks, Willy
regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"
Hi, server configuration now break with: cfg sample: listen tls […] server bla 127.0.0.1:8080 [ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server bla' : no method found to resolve address '(null)' [ALERT] 248/130258 (21960) : Failed to initialize server(s) addr. ++ Manu
Re: regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"
On Wed, Sep 06, 2017 at 02:16:34PM +0200, Nenad Merdanovic wrote: > Can you please revert this patch? It's not a good way to fix the issue we > were experiencing before. It will need a bigger rewrite, because the logic > in srv_iterate_initaddr needs to be changed. OK now done. Thanks for your fast response. Willy