Re: H2 Server Connection Resets (1.9.2)

2019-01-22 Thread Willy Tarreau
Hi Luke, I've place an nginx instance after my local haproxy dev config, and found something which might explain what you're observing : the process apparently leaks FDs and fails once in a while, causing 500 to be returned : 2019/01/23 08:22:13 [crit] 25508#0: *36705 open()

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Willy Tarreau
Hi Dirkjan, On Tue, Jan 22, 2019 at 11:07:07PM -0800, Dirkjan Bussink wrote: > I have adjusted the patch to make it more robust and more match the style of > how we use other options. How does this look to you? Unfortunately it does introduce the problem I feared for BoringSSL : +#if

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Dirkjan Bussink
Hi Willy, > On 22 Jan 2019, at 07:07, Willy Tarreau wrote: > > Hi guys, > > On Tue, Jan 22, 2019 at 03:22:38PM +0100, Emeric Brun wrote: >> I think you can merge this. > > OK. I still find it very fragile in that we usually don't make a > difference between an absent define and the same

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread PiBa-NL
Hi Aleksandar, Just FYI. Op 22-1-2019 om 22:08 schreef Aleksandar Lazic: But this could be a know bug and is fixed in the current git - ## Starting vtest ## Testing with haproxy version: 1.9.2 #top TEST

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Am 22.01.2019 um 21:45 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 12:13 PM Aleksandar Lazic wrote: >> Sorry for my dump question, I just want to be save not to break something. >> >> It would be nice to have the option '-key-update' in client.cc and server.cc >> where can I put this feature

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Tim. Am 22.01.2019 um 20:57 schrieb Tim Düsterhus: > Aleks, > > Am 22.01.19 um 20:50 schrieb Aleksandar Lazic: >> This means that the function in haproxy works but the check should be >> adopted to >> match both cases, right? > > At least one should investigate what exactly is happening here

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Adam Langley
On Tue, Jan 22, 2019 at 12:13 PM Aleksandar Lazic wrote: > Sorry for my dump question, I just want to be save not to break something. > > It would be nice to have the option '-key-update' in client.cc and server.cc > where can I put this feature request for boringssl? > > That would be make the

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Am 22.01.2019 um 20:54 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 11:45 AM Aleksandar Lazic wrote: >> Can it be reused to test a specific server like? >> >> ssl/test/runner/runner -test "KeyUpdate-ToServer" 127.0.0.1:8443 > > Not easily: it drives the implementation under test by forking a

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Tim Düsterhus
Aleks, Am 22.01.19 um 20:50 schrieb Aleksandar Lazic: > This means that the function in haproxy works but the check should be adopted > to > match both cases, right? At least one should investigate what exactly is happening here (the differences between the libc is a guess) and possibly file a

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Adam Langley
On Tue, Jan 22, 2019 at 11:45 AM Aleksandar Lazic wrote: > Can it be reused to test a specific server like? > > ssl/test/runner/runner -test "KeyUpdate-ToServer" 127.0.0.1:8443 Not easily: it drives the implementation under test by forking a process and has quite a complex interface via

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Tim. Am 22.01.2019 um 20:26 schrieb Tim Düsterhus: > Aleks, > > Am 22.01.19 um 19:38 schrieb Aleksandar Lazic: >> ## test results in: >> "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.76167f9e" >> s10.0 EXPECT req.http.test3maskff (2001:db8:c001:c01a:::10:0) == >>

Re: Automatic Redirect transformations using regex?

2019-01-22 Thread Bruno Henc
Hello Joao Guimaraes, The following lines should accomplish what you described in your email:     acl is_main_site hdr(Host) -i www.mysite.com mysite.com     http-request set-var(req.scheme) str(https) if { ssl_fc }     http-request set-var(req.scheme) str(http) if !{ ssl_fc }    

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Am 22.01.2019 um 20:30 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 11:16 AM Aleksandar Lazic wrote: >> Agree that I get a 400 with this command. >> >> `echo 'K' | ./tool/bssl s_client -connect mail.google.com:443` > > (Note that "K" on its own line does not send a KeyUpdate message with >

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Adam Langley
On Tue, Jan 22, 2019 at 11:16 AM Aleksandar Lazic wrote: > Agree that I get a 400 with this command. > > `echo 'K' | ./tool/bssl s_client -connect mail.google.com:443` (Note that "K" on its own line does not send a KeyUpdate message with BoringSSL's bssl tool. It just sends "K\n".) > How does

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Tim Düsterhus
Aleks, Am 22.01.19 um 19:38 schrieb Aleksandar Lazic: > ## test results in: > "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.76167f9e" > s10.0 EXPECT req.http.test3maskff (2001:db8:c001:c01a:::10:0) == > "2001:db8:c001:c01a:0::10:0" failed The difference here is that the

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Am 22.01.2019 um 20:04 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 10:54 AM Aleksandar Lazic wrote: >> Do have boringssl a similar tool like s_client? > > BoringSSL builds tool/bssl (in the build directory), which is similar. > However it doesn't have any magic inputs that can trigger a

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Adam Langley
On Tue, Jan 22, 2019 at 10:54 AM Aleksandar Lazic wrote: > Do have boringssl a similar tool like s_client? BoringSSL builds tool/bssl (in the build directory), which is similar. However it doesn't have any magic inputs that can trigger a KeyUpdate message like OpenSSL's s_client. Cheers AGL

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Am 22.01.2019 um 19:54 schrieb Aleksandar Lazic: > Cool, thanks. > > Do have boringssl a similar tool like s_client? > > I don't like to build openssl just for s_client call :-) Answer my own question. bssl is the boringssl tool command. The open question is why the tests fails in container?

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Cool, thanks. Do have boringssl a similar tool like s_client? I don't like to build openssl just for s_client call :-) Regards Aleks Ursprüngliche Nachricht Von: Janusz Dziemidowicz Gesendet: 22. Jänner 2019 19:49:15 MEZ An: Aleksandar Lazic CC: HAProxy Betreff: Re:

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Janusz Dziemidowicz
wt., 22 sty 2019 o 19:40 Aleksandar Lazic napisał(a): > > Hi. > > I have now build haproxy with boringssl and it looks quite good. > > Is it the recommended way to simply make a git clone without any branch or > tag? > Does anyone know how the KeyUpdate can be tested? openssl s_client -connect

haproxy 1.9.2 with boringssl

2019-01-22 Thread Aleksandar Lazic
Hi. I have now build haproxy with boringssl and it looks quite good. Is it the recommended way to simply make a git clone without any branch or tag? Does anyone know how the KeyUpdate can be tested? ### HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/ Build options : TARGET =

Re: Automatic Redirect transformations using regex?

2019-01-22 Thread Aleksandar Lazic
Am 21.01.2019 um 23:40 schrieb Joao Guimaraes: > Hi Haproxy team! > > I've been trying to figure out how to perform automatic redirects based on > source URL transformations.  > > *Basically I need the following redirect: * > > mysite.*abc* redirected to *abc*.mysite.com . Maybe you can

Re: H2 Server Connection Resets (1.9.2)

2019-01-22 Thread Luke Seelenbinder
Hi Aleksandar, Thanks for your tips. > Do you have such a info in the nginx log? > > "http2 flood detected" I did not find this in any of the logs from when the buggy configuration was deployed. > Can you try to set some timeout values for`timeout http-keep-alive` I do have this set

Re: H2 Server Connection Resets (1.9.2)

2019-01-22 Thread Willy Tarreau
On Tue, Jan 22, 2019 at 02:57:23PM +, Luke Seelenbinder wrote: > There is a strong correlation between client connections canceling requests > (resulting in a HTTP log string of CD--) and then a whole string of requests > immediately after resulting in server connection resets (resulting in

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Willy Tarreau
Hi guys, On Tue, Jan 22, 2019 at 03:22:38PM +0100, Emeric Brun wrote: > I think you can merge this. OK. I still find it very fragile in that we usually don't make a difference between an absent define and the same declared as zero, and most SSL_OP_* entries are defined this way in ssl_sock.c,

Re: H2 Server Connection Resets (1.9.2)

2019-01-22 Thread Luke Seelenbinder
Hi Willy, I just confirmed the other patchset works, so I will start going down this road. :-) While testing the other issue, I discovered something fascinating. Our application is typically used by clients that cancel requests with reasonable frequency (5+%). When zooming in and out of maps

Re: HTX & tune.maxrewrite [1.9.2]

2019-01-22 Thread Luke Seelenbinder
Hi Christopher, I can confirm the patches fixed the issue. Thanks again for fixing this up! Best, Luke — Luke Seelenbinder Stadia Maps | Founder stadiamaps.com ‐‐‐ Original Message ‐‐‐ On Monday, January 21, 2019 2:07 PM, Christopher Faulet wrote: > Le 18/01/2019 à 14:23, Luke

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Emeric Brun
Hi Willy, On 1/21/19 6:38 PM, Dirkjan Bussink wrote: > Hi Emeric, > >> On 21 Jan 2019, at 08:06, Emeric Brun wrote: >> >> Interesting, it would be good to skip the check using the same method. >> >> We must stay careful to not put the OP_NO_RENEG flag on the client part >> (when haproxy

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Emeric Brun
Hi Willy, On 1/21/19 6:38 PM, Dirkjan Bussink wrote: > Hi Emeric, > >> On 21 Jan 2019, at 08:06, Emeric Brun wrote: >> >> Interesting, it would be good to skip the check using the same method. >> >> We must stay careful to not put the OP_NO_RENEG flag on the client part >> (when haproxy

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Emmanuel Hocdet
> Le 21 janv. 2019 à 19:31, Adam Langley a écrit : > > On Mon, Jan 21, 2019 at 10:16 AM Dirkjan Bussink wrote: >> Ah ok, I recently added support in HAProxy to handle the new >> SSL_CTX_set_ciphersuites option since OpenSSL handles setting TLS 1.3 >> ciphers separate from the regular ones.

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Emmanuel Hocdet
> Le 21 janv. 2019 à 19:07, Dirkjan Bussink a écrit : > > Hi Manu, > >> On 21 Jan 2019, at 09:49, Emmanuel Hocdet wrote: >> >> Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work. >> As workaround, SSL_OP_NO_RENEGOTIATION could be set to 0 in openssl-compat.h. > >

Re: H2 Server Connection Resets (1.9.2)

2019-01-22 Thread Willy Tarreau
On Tue, Jan 22, 2019 at 09:42:53AM +, Luke Seelenbinder wrote: > Hi Willy, Aleks, > > I will try the things suggested this afternoon (hopefully) or tomorrow and > get back to you. > > > At least if nginx does this it should send a GOAWAY > > frame indicating that it will stop after stream

Re: H2 Server Connection Resets (1.9.2)

2019-01-22 Thread Luke Seelenbinder
Hi Willy, Aleks, I will try the things suggested this afternoon (hopefully) or tomorrow and get back to you. > At least if nginx does this it should send a GOAWAY > frame indicating that it will stop after stream #2001. That's my understanding as well (and the docs say as much). I assumed

Re: Some test case for HTTP/2 failed, are those bugs?

2019-01-22 Thread Willy Tarreau
On Tue, Jan 22, 2019 at 09:32:22AM +0100, Lukas Tribus wrote: > Hello, > > > On Tue, 22 Jan 2019 at 03:04, ??? wrote: > > > > Dear willy: > > > > I am a follower of haproxy. I tested HTTP/2 fuction in haproxy_1.8.17 > > with the tool h2spec, but some test cases failed. I wonder if those

Re: H2 Server Connection Resets (1.9.2)

2019-01-22 Thread Willy Tarreau
Hi Luke, On Mon, Jan 21, 2019 at 09:30:39AM +, Luke Seelenbinder wrote: > After enabling h2 backends (technically `server ... alpn h2,http/1.1`), we > began seeing a high number of backend /server/ connection resets. A > reasonable number of client-side connection resets due to timeouts,

Re: Some test case for HTTP/2 failed, are those bugs?

2019-01-22 Thread Lukas Tribus
Hello, On Tue, 22 Jan 2019 at 03:04, 高和东 wrote: > > Dear willy: > > I am a follower of haproxy. I tested HTTP/2 fuction in haproxy_1.8.17 > with the tool h2spec, but some test cases failed. I wonder if those are bugs > for haproxy. > See the tool here