Re: Seamless reloads: file descriptors utilization in LUA

2019-01-20 Thread Wert
Hi, I'm talking only about performance ways) About socket. I use UDP for sending, there are no reasons for delays. However, my bad - I misunderstood some FDs in "lsof". It is not related to that UDP-sending, that is OK. About file system. I open file from disk for GeoIP, but finally it cached

Re: [PATCH] MINOR: startup: certain goto paths in init_pollers fail to free

2019-01-20 Thread Willy Tarreau
On Mon, Jan 21, 2019 at 04:39:53AM +0100, Willy Tarreau wrote: > Hi, > > On Thu, Jan 17, 2019 at 08:21:39AM +, Uman Shahzad wrote: > > If we fail to initialize pollers due to fdtab/fdinfo/polled_mask > > not getting allocated, we free any of those that were allocated > > and exit. However the

Re: [PATCH] MINOR: startup: certain goto paths in init_pollers fail to free

2019-01-20 Thread Willy Tarreau
Hi, On Thu, Jan 17, 2019 at 08:21:39AM +, Uman Shahzad wrote: > If we fail to initialize pollers due to fdtab/fdinfo/polled_mask > not getting allocated, we free any of those that were allocated > and exit. However the ordering was incorrect, and there was an old > unused and unreachable

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-20 Thread Willy Tarreau
On Sun, Jan 20, 2019 at 03:08:23PM -0800, Adam Langley wrote: > On Sun, Jan 20, 2019 at 2:41 PM Willy Tarreau wrote: > > Just out of curiosity, if such out-of-band messages are enabled again in > > 1.3, do you think this might have any particular impacts on something like > > kTLS where the TLS

Re: [PATCH] MINOR: startup: certain goto paths in init_pollers fail to free

2019-01-20 Thread Uman Shahzad
Hi, can someone check this one out? Is there something wrong with it? On Thu, Jan 17, 2019, at 13:21, Uman Shahzad wrote: > If we fail to initialize pollers due to fdtab/fdinfo/polled_mask > not getting allocated, we free any of those that were allocated > and exit. However the ordering was

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-20 Thread Aleksandar Lazic
Thank you for clarification. Regard Aleks Urspr√ľngliche Nachricht Von: Adam Langley Gesendet: 21. J√§nner 2019 00:12:59 MEZ An: Aleksandar Lazic CC: haproxy@formilux.org, Willy Tarreau , eb...@haproxy.com Betreff: Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-20 Thread Adam Langley
On Sun, Jan 20, 2019 at 3:04 PM Aleksandar Lazic wrote: > which refers to > https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html > > instead of the suggested Patch? The SSL_key_update function enqueues a KeyUpdate message to be sent. The problem is that if a /client/ of HAProxy

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-20 Thread Adam Langley
On Sun, Jan 20, 2019 at 2:41 PM Willy Tarreau wrote: > Just out of curiosity, if such out-of-band messages are enabled again in > 1.3, do you think this might have any particular impacts on something like > kTLS where the TLS stream is deciphered by the kernel ? I don't know how > such messages

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-20 Thread Aleksandar Lazic
Hi. As far as I understood the keyupdate https://tools.ietf.org/html/rfc8446 4.6.3 which you refer proper isn't it also a option to use https://wiki.openssl.org/index.php/TLS1.3#Renegotiation which refers to https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html instead of the

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-20 Thread Willy Tarreau
Hi Adam, [ccing Emeric] On Sun, Jan 20, 2019 at 01:12:44PM -0800, Adam Langley wrote: > KeyUpdate messages are a feature of TLS 1.3 that allows the symmetric > keys of a connection to be periodically rotated. It's > mandatory-to-implement in TLS 1.3, but not mandatory to use. Google > Chrome

HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-20 Thread Adam Langley
KeyUpdate messages are a feature of TLS 1.3 that allows the symmetric keys of a connection to be periodically rotated. It's mandatory-to-implement in TLS 1.3, but not mandatory to use. Google Chrome tried enabling KeyUpdate and promptly broke several sites, at least some of which are using