Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

2019-04-10 Thread Emmanuel Hocdet
Hi, Updated patch serie: Fix OpenSSL < 1.0.2 compatibilty. More generic key for issuers ebtree. ++ Manu 0001-REORG-ssl-promote-cert_key_and_chain-handling.patch Description: Binary data 0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch Description: Binary data

Re: Abort on exit "libgcc_s.so.1 must be installed for pthread_cancel to work"

2019-04-10 Thread Emmanuel Hocdet
> Le 5 avr. 2019 à 13:05, William Lallemand a écrit : > > On Fri, Apr 05, 2019 at 12:55:11PM +0200, Emmanuel Hocdet wrote: >> >> Hi, >> >> To test deinit, i come across this: >> >> # /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x

[PATCH] MINOR: ssl: Activate aes_gcm_dec converter for BoringSSL

2019-04-10 Thread Emmanuel Hocdet
Hi, If you can consider this patch. BoringSSL actually mimic OpenSSL 1.1.0 and have OPENSSL_VERSION_NUMBER set accordly. ++ Manu 0001-MINOR-ssl-Activate-aes_gcm_dec-converter-for-BoringS.patch Description: Binary data

Re: [ANNOUNCE] haproxy-1.9.6

2019-04-09 Thread Emmanuel Hocdet
> Le 9 avr. 2019 à 09:58, Aleksandar Lazic a écrit : > > Hi Manu. > > Am 05.04.2019 um 12:36 schrieb Emmanuel Hocdet: >> Hi Aleks, >> >> Thanks you to have integrate BoringSSL! >> >>> Le 29 mars 2019 à 14:51, Aleksandar Lazic >> <

Abort on exit "libgcc_s.so.1 must be installed for pthread_cancel to work"

2019-04-05 Thread Emmanuel Hocdet
Hi, To test deinit, i come across this: # /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x /run/haproxy_ssl.sock -sf 15716 log on 15716 process: Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test

Re: [ANNOUNCE] haproxy-1.9.6

2019-04-05 Thread Emmanuel Hocdet
Hi Aleks, Thanks you to have integrate BoringSSL! > Le 29 mars 2019 à 14:51, Aleksandar Lazic a écrit : > > Am 29.03.2019 um 14:25 schrieb Willy Tarreau: >> Hi Aleks, >> >> On Fri, Mar 29, 2019 at 02:09:28PM +0100, Aleksandar Lazic wrote: >>> With openssl are 2 tests failed but I'm not sure

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Emmanuel Hocdet
> Le 21 janv. 2019 à 19:31, Adam Langley a écrit : > > On Mon, Jan 21, 2019 at 10:16 AM Dirkjan Bussink wrote: >> Ah ok, I recently added support in HAProxy to handle the new >> SSL_CTX_set_ciphersuites option since OpenSSL handles setting TLS 1.3 >> ciphers separate from the regular ones.

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-22 Thread Emmanuel Hocdet
> Le 21 janv. 2019 à 19:07, Dirkjan Bussink a écrit : > > Hi Manu, > >> On 21 Jan 2019, at 09:49, Emmanuel Hocdet wrote: >> >> Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work. >> As workaround, SSL_OP_NO_RENEGOTIATION c

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Emmanuel Hocdet
Hi, > Le 21 janv. 2019 à 17:06, Emeric Brun a écrit : > > Interesting, it would be good to skip the check using the same method. > > We must stay careful to not put the OP_NO_RENEG flag on the client part (when > haproxy connects to server), because reneg from server is authorized > but i

Re: haproxy reload terminated with master/worker

2019-01-08 Thread Emmanuel Hocdet
> Le 8 janv. 2019 à 15:02, William Lallemand a écrit : > > On Tue, Jan 08, 2019 at 02:03:22PM +0100, Tim Düsterhus wrote: >> Emmanuel, >> >> Am 08.01.19 um 13:53 schrieb Emmanuel Hocdet: >>> Without master/worker, haproxy reload work with an active waiting

haproxy reload terminated with master/worker

2019-01-08 Thread Emmanuel Hocdet
Hi, Without master/worker, haproxy reload work with an active waiting (haproxy exec). With master/worker, kill -USR2 return immediately: Is there a way to know when the reload is finished? ++ Manu

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

2019-01-08 Thread Emmanuel Hocdet
Hi Emeric, > Le 7 janv. 2019 à 18:11, Emeric Brun a écrit : > > Hi Manu, > > On 1/7/19 5:59 PM, Emmanuel Hocdet wrote: >> It's better with patches… >> >>> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet >> <mailto:m...@gandi.net>> a écrit : >

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

2019-01-07 Thread Emmanuel Hocdet
It's better with patches…Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi,Following the first patch series (included).The goal is to deduplicate common certificates in memory and in shared pem files.PATCH 7/8 is only for boringssl (directive to dedup certificate in

[PATCH] ssl certificates load speedup and dedup (pem/ctx)

2019-01-07 Thread Emmanuel Hocdet
4.2.1.2. (1)) If you want to test it, the patch series can be apply to haproxy-dev or haproxy-1.9. Feedbacks are welcome :) ++ Manu > Le 12 déc. 2018 à 12:23, Emmanuel Hocdet a écrit : > > > Hi, > > I tried to improve the haproxy loading time with a lot of certificates, and

Re: [PATCH] ssl: factoring load cert/key and chains

2018-12-12 Thread Emmanuel Hocdet
Hi Julien, > Le 12 déc. 2018 à 14:28, Julien Laffaye a écrit : > > > On Wed, Dec 12, 2018 at 12:24 PM Emmanuel Hocdet <mailto:m...@gandi.net>> wrote: > > Hi, > > I tried to improve the haproxy loading time with a lot of certificates, and > see a double f

[PATCH] ssl: factoring load cert/key and chains

2018-12-12 Thread Emmanuel Hocdet
Hi, I tried to improve the haproxy loading time with a lot of certificates, and see a double file open for each certificate (one for private-key and one for the cert/chain). Multi-cert loading part have not this issue and is good candidate for sharing code: patches is this work with

Re: HTTP/3 | daniel.haxx.se

2018-11-12 Thread Emmanuel Hocdet
Hi Aleks, > Le 12 nov. 2018 à 18:02, Aleksandar Lazic a écrit : > > Hi Manu. > > Am 12.11.2018 um 16:19 schrieb Emmanuel Hocdet: >> >> Hi, >> >> The primary (major) step should be to deal with QUIC transport (over UDP). >> At the same level as

Re: HTTP/3 | daniel.haxx.se

2018-11-12 Thread Emmanuel Hocdet
Hi, The primary (major) step should be to deal with QUIC transport (over UDP). At the same level as TCP for haproxy? Willy should already have a little idea on it ;-) ++ Manu > Le 11 nov. 2018 à 20:38, Aleksandar Lazic a écrit : > > Hi. > > FYI. > > Oh no, that was quite fast after HTTP/2

[PATCH] MINOR: generate-certificates for BoringSSL

2018-10-03 Thread Emmanuel Hocdet
Hi, For generate-certificates, X509V3_EXT_conf is used but it's an (very) old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf. (BoringSSL only have X509V3_EXT_nconf)

Re: New TLS proposal for SNI => ESNI

2018-09-25 Thread Emmanuel Hocdet
Hi Aleks, > Le 25 sept. 2018 à 08:05, Aleksandar Lazic a écrit : > > Hi. > > Have anyone seen this? > > https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https > > It looks very interesting for higher privacy. > Yep. Also

Re: [ANNOUNCE] haproxy-1.9-dev2

2018-09-18 Thread Emmanuel Hocdet
> Le 18 sept. 2018 à 11:54, Lukas Tribus a écrit : > > Hi Manu, > > > On Fri, 14 Sep 2018 at 15:45, Emmanuel Hocdet wrote: >> >> Hi, >> >> Quick test with 1.9-dev2, and i see latency (in seconds) to connect to >> haproxy with SSL (tcp mode)

Re: OpenSSL and per-context option problem

2018-09-17 Thread Emmanuel Hocdet
Hi Thierry, > Le 15 sept. 2018 à 18:06, Thierry Fournier a écrit > : > > Hi, > > I tried to use per-context options, in order to enable HTTP2 for a short > list of SNI. I just add lines like this: > > /certif1.pem [alpn h2,http/1.1] my-h2-host.com > /certif2.pem my-other-host.com > >

Re: [ANNOUNCE] haproxy-1.9-dev2

2018-09-14 Thread Emmanuel Hocdet
Hi, Quick test with 1.9-dev2, and i see latency (in seconds) to connect to haproxy with SSL (tcp mode). It’s ok in master with 9f9b0c6a. No time to investigate more for the moment. ++ Manu

Re: TLS 1.3 options available with OpenSSL 1.1.1

2018-09-14 Thread Emmanuel Hocdet
> Le 14 sept. 2018 à 14:01, Dirkjan Bussink a écrit : > > Hi all, > >> On 14 Sep 2018, at 12:18, Emmanuel Hocdet wrote: >> >> Same deal with boringssl, TLSv <= 1.2 ciphers configuration and TLSv1.3 >> ciphers are segregated. >>

Re: TLS 1.3 options available with OpenSSL 1.1.1

2018-09-14 Thread Emmanuel Hocdet
Hi Emeric, Lukas, Dirkjan > Le 14 sept. 2018 à 11:12, Emeric Brun a écrit : > > Hi Lukas, Dirkjan, > > On 09/13/2018 10:17 PM, Lukas Tribus wrote: >> Hello Dirkjan, >> >> >> On Thu, 13 Sep 2018 at 16:44, Dirkjan Bussink wrote: >>> So with a new API call, does that mean adding for example

[PATCH] BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1

2018-09-03 Thread Emmanuel Hocdet
Hi Lukas, Emeric This patch fix the issue. If you can check it. Thanks Manu 0001-BUG-MEDIUM-ECC-cert-should-work-with-TLS-v1.2-and-op.patch Description: Binary data

Re: BUG: ssl: regression with openssl 1.1.1 when using <= TLSv1.2

2018-09-03 Thread Emmanuel Hocdet
Hi Lukas, > Le 2 sept. 2018 à 15:31, Lukas Tribus a écrit : > On Sat, 1 Sep 2018 at 20:49, Lukas Tribus wrote: >>> I've confirmed the change in behavior only happens with an ECC >>> certificate, an RSA certificate is not affected. >> >> Just to confirm that this is still an actual problem

Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-25 Thread Emmanuel Hocdet
Le 25 juil. 2018 à 10:34, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi WillyLe 24 juil. 2018 à 18:59, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:Hi Willy,This patch is necessary to build with current BoringSSL (SSL_SE

Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-25 Thread Emmanuel Hocdet
Hi Willy > Le 24 juil. 2018 à 18:59, Willy Tarreau a écrit : > > Hi Manu, > > On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote: >> Hi Willy, >> >> This patch is necessary to build with current BoringSSL (SSL_SESSION is now >> opaque).

[PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-23 Thread Emmanuel Hocdet
Hi Willy, This patch is necessary to build with current BoringSSL (SSL_SESSION is now opaque). BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs. The patch revert part of haproxy 019f9b10 (openssl-compat.h). This will not break openssl/libressl compat. Can you consider

Re: [PATCH] Re: Random crash (segfault, double free, ...) with a mix of SSL + cipherlist hash

2018-06-19 Thread Emmanuel Hocdet
> Le 18 juin 2018 à 15:54, Thierry Fournier a > écrit : > > I don’t known. In fact it works, so it is not a bug. But, when I use the > reservation for an ex_data slot, it returns the slot 0, and this slot is > used for the compatibility layer and can be crush some data. I conclude > that is a

Re: [PATCH] Re: Random crash (segfault, double free, ...) with a mix of SSL + cipherlist hash

2018-06-18 Thread Emmanuel Hocdet
> Le 18 juin 2018 à 15:30, Thierry Fournier a > écrit : > > > >> On 18 Jun 2018, at 14:37, Emmanuel Hocdet wrote: >> >>> >>> Le 18 juin 2018 à 10:43, Thierry Fournier a >>> écrit : >>> >>> >>>> On 1

Re: [PATCH] Re: Random crash (segfault, double free, ...) with a mix of SSL + cipherlist hash

2018-06-18 Thread Emmanuel Hocdet
> Le 18 juin 2018 à 10:43, Thierry Fournier a > écrit : > > >> On 18 Jun 2018, at 10:33, Willy Tarreau wrote: >> >> On Sun, Jun 17, 2018 at 09:44:50PM +0200, thierry.fourn...@arpalert.org >> wrote: >>> Finally, I got it ! It works with luck because we have 1 bug in Haproxy >>> and 1 error

[PATCH] BUG/MEDIUM: ssl: do not store pkinfo with SSL_set_ex_data

2018-06-18 Thread Emmanuel Hocdet
> Le 18 juin 2018 à 11:49, Emmanuel Hocdet a écrit : > > > Hi Thierry, Willy > >> Le 18 juin 2018 à 10:43, Thierry Fournier a >> écrit : >> >> Yes, including the Friday :-) But I hope this path improve stability. If >> someone >>

Re: [PATCH] Re: Random crash (segfault, double free, ...) with a mix of SSL + cipherlist hash

2018-06-18 Thread Emmanuel Hocdet
Hi Thierry, Willy > Le 18 juin 2018 à 10:43, Thierry Fournier a > écrit : > > >> On 18 Jun 2018, at 10:33, Willy Tarreau wrote: >> >> On Sun, Jun 17, 2018 at 09:44:50PM +0200, thierry.fourn...@arpalert.org >> wrote: >>> Finally, I got it ! It works with luck because we have 1 bug in

Re: SSL certs loading performance regression

2018-05-24 Thread Emmanuel Hocdet
> Le 24 mai 2018 à 09:21, Hervé Commowick a > écrit : > > I didn't know about the curves parameter, and i don't see performance > regression with it. I don't really understand why this kind of parameter > can influence certs loading time. > I don't know really

Re: SSL certs loading performance regression

2018-05-23 Thread Emmanuel Hocdet
Hi Hervé, > Le 22 mai 2018 à 10:31, Hervé Commowick a > écrit : > > Hello HAProxy ML, > > I tracked down a performance regression about loading bunch of > certificates, at least 3x to 5x more time for loading 10 certs since > this commit >

Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4

2018-04-18 Thread Emmanuel Hocdet
Hi Emeric, > Le 18 avr. 2018 à 14:21, Emeric Brun <eb...@haproxy.com> a écrit : > > On 04/16/2018 02:30 PM, Dmitry Sivachenko wrote: >> >>> On 07 Apr 2018, at 17:38, Emmanuel Hocdet <m...@gandi.net> wrote: >>> >>> >>> I

Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4

2018-04-07 Thread Emmanuel Hocdet
I Andy > Le 31 mars 2018 à 16:43, Andy Postnikov a écrit : > > I used to rework previous patch from Alpinelinux to build with latest stable > libressl > But found no way to run tests with openssl which is primary library as I see > Is it possible to accept the patch

[PATCH] MINOR: samples: add crc32c function

2018-03-21 Thread Emmanuel Hocdet
Hi Willy, > Le 21 mars 2018 à 05:09, Willy Tarreau <w...@1wt.eu> a écrit : > > On Tue, Mar 20, 2018 at 02:40:41PM +0100, Emmanuel Hocdet wrote: >> Thank you for taking the time to review. > > OK patch now applied, thanks. Since you added a new hash algo, it could &g

Re: [PATCH] support CRC32c for proxy protocol v2 (send, accept)

2018-03-20 Thread Emmanuel Hocdet
Hi Willy,Le 19 mars 2018 à 12:38, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Mon, Feb 05, 2018 at 05:10:05PM +0100, Emmanuel Hocdet wrote:Hi,Series of patches to support CRC32c checksum to proxy protocol v2 header(as describe in "doc/proxy-protocol.txt »). add hash_crc32c fu

Re: [PATCH] support CRC32c for proxy protocol v2 (send, accept)

2018-03-02 Thread Emmanuel Hocdet
Hi Willy, Since patches "[PATCH] proxy-v2-options ssl-cipher,cert-sig,cert-key,authority » are merged, these could be considered. ++ Manu > Le 5 févr. 2018 à 17:10, Emmanuel Hocdet <m...@gandi.net> a écrit : > > Hi, > > Series of patches to support CRC32c checksum t

Re: [PATCH] proxy-v2-options ssl-cipher,cert-sig,cert-key,authority

2018-03-01 Thread Emmanuel Hocdet
Hi Willy, > Le 1 mars 2018 à 07:00, Willy Tarreau a écrit : > > Hi Manu, > > this series is giving me two build warnings : > > src/ssl_sock.c: In function 'ssl_sock_load_multi_cert': > src/ssl_sock.c:3143:3: warning: ISO C90 forbids mixed declarations and code >

Re: [PATCH] proxy-v2-options ssl-cipher,cert-sig,cert-key,authority

2018-02-28 Thread Emmanuel Hocdet
Hi, Update patches with minor fix related to null-termated string. > Le 2 févr. 2018 à 14:44, Emmanuel Hocdet <m...@gandi.net> a écrit : > > > Hi, > > Series of patches to add proxy protocol v2 options related to tls informations > (see doc/proxy-pr

[PATCH] Revert "BUG/MINOR: send-proxy-v2: string size must include ('\0')"

2018-02-28 Thread Emmanuel Hocdet
Hi, As discussed with Willy. 82913e4f must be reverted. This should be backported to 1.8. ++ Manu 0001-Revert-BUG-MINOR-send-proxy-v2-string-size-must-incl.patch Description: Binary data

Re: [PATCH] BUG/MINOR: ssl: return alpn string with NULL terminated

2018-02-27 Thread Emmanuel Hocdet
Hi Willy > Le 27 févr. 2018 à 15:57, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu, > > On Mon, Feb 26, 2018 at 12:31:13PM +0100, Emmanuel Hocdet wrote: >> >> Hi, >> >> According to openssl documentation: "SSL_get0_alpn_selected() ret

[PATCH] BUG/MINOR: ssl: return alpn string with NULL terminated

2018-02-26 Thread Emmanuel Hocdet
Hi, According to openssl documentation: "SSL_get0_alpn_selected() returns a pointer to the selected protocol in data with length len. It is not NUL-terminated". It consern ssl_sock_get_alpn and smp_fetch_ssl_fc_alpn functions and impact send-proxy-v2 with alpn. The expected get is not an array

Re: haproxy 1.8 ssl backend server leads to server session aborts

2018-02-13 Thread Emmanuel Hocdet
Hi Olivier > Le 13 févr. 2018 à 15:27, Olivier Houchard a écrit : > > Thanks a lot for the detailed analyze, and sorry for the late answer. > You're probably right, SSL_ERROR_SYSCALL shouldn't be treated as an > unrecoverable error. > So, what you basically did was

[PATCH] support CRC32c for proxy protocol v2 (send, accept)

2018-02-05 Thread Emmanuel Hocdet
Hi,Series of patches to support CRC32c checksum to proxy protocol v2 header(as describe in "doc/proxy-protocol.txt »). add hash_crc32c function. add « crc32c » option to proxy-v2-options. check crc32c checksum when CRC32C tlv is received.note: git format-patch is done with "[PATCH]

Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

2018-02-05 Thread Emmanuel Hocdet
Hi Aleks, > Le 2 févr. 2018 à 20:46, Aleksandar Lazic <al-hapr...@none.at> a écrit : > > Hi Manu. > > Am 02-02-2018 10:49, schrieb Emmanuel Hocdet: >> Hi Aleks >>> Le 1 févr. 2018 à 23:34, Aleksandar Lazic <al-hapr...@none.at> a écrit : >>&

[PATCH] proxy-v2-options ssl-cipher,cert-sig,cert-key,authority

2018-02-02 Thread Emmanuel Hocdet
Hi, Series of patches to add proxy protocol v2 options related to tls informations (see doc/proxy-protocol.txt). . ssl-cipher (PP2_SUBTYPE_SSL_CIPHER) . cert-sig (PP2_SUBTYPE_SSL_SIG_ALG) . cert-key (PP2_SUBTYPE_SSL_KEY_ALG) . authority (PP2_TYPE_AUTHORITY) - aka SNI ++ Manu

Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

2018-02-02 Thread Emmanuel Hocdet
Hi Aleks > Le 1 févr. 2018 à 23:34, Aleksandar Lazic <al-hapr...@none.at> a écrit : > > Hi. > > -- Originalnachricht ------ > Von: "Emmanuel Hocdet" <m...@gandi.net> > An: "haproxy" <haproxy@formilux.org> > Gesendet: 01.02.2018

[PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

2018-02-01 Thread Emmanuel Hocdet
Hi,It’s patch introduce proxy-v2-options for send-proxy-v2.Goal is to add more options from  doc/proxy-protocol.txt, especially all TLS informations related to security.++Manu 0001-MINOR-introduce-proxy-v2-options-for-send-proxy-v2.patch Description: Binary data

Re: [BUG] 100% cpu on each threads

2018-01-12 Thread Emmanuel Hocdet
> Le 12 janv. 2018 à 15:23, Aleksandar Lazic <al-hapr...@none.at> a écrit : > > > -- Originalnachricht -- > Von: "Willy Tarreau" <w...@1wt.eu> > An: "Emmanuel Hocdet" <m...@gandi.net> > Cc: "haproxy" <haproxy@for

Re: [BUG] 100% cpu on each threads

2018-01-12 Thread Emmanuel Hocdet
> Le 12 janv. 2018 à 15:24, Willy Tarreau <w...@1wt.eu> a écrit : > > On Fri, Jan 12, 2018 at 12:01:15PM +0100, Emmanuel Hocdet wrote: >> When syndrome appear, i see such line on syslog: >> (for one or all servers) >> >> Server tls/L7_1 is DOWN, reason

Re: [BUG] 100% cpu on each threads

2018-01-12 Thread Emmanuel Hocdet
Hi Willy > Le 12 janv. 2018 à 11:38, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu, > > On Fri, Jan 12, 2018 at 11:14:57AM +0100, Emmanuel Hocdet wrote: >> >> Hi, >> >> with 1.8.3 + threads (with mworker) >> I notice a 100% c

[BUG] 100% cpu on each threads

2018-01-12 Thread Emmanuel Hocdet
Hi, with 1.8.3 + threads (with mworker) I notice a 100% cpu per thread ( epool_wait + gettimeofday in loop) Syndrome appears regularly on start/reload. My configuration include one bind line with ssl on tcp mode. It's a know issue? ++ Manu

Re: [PATCH] BUG/MINOR: ssl: fix CO_FL_EARLY_DATA removal with http mode

2017-11-30 Thread Emmanuel Hocdet
> Le 30 nov. 2017 à 13:34, Olivier Houchard <ohouch...@haproxy.com> a écrit : > > Hi Emmanuel, > > On Thu, Nov 30, 2017 at 12:15:37PM +0100, Emmanuel Hocdet wrote: >> Hi Olivier, >> >>> Le 29 nov. 2017 à 19:57, Olivier Houchard <ohouch...@haproxy

Re: [PATCH] BUG/MINOR: ssl: fix CO_FL_EARLY_DATA removal with http mode

2017-11-30 Thread Emmanuel Hocdet
> Le 30 nov. 2017 à 12:15, Emmanuel Hocdet <m...@gandi.net> a écrit : > > In this case, i don’t understand the interest of ssl_fc_has_early. > > looking at the documentation > ssl_fc_has_early : boolean > Returns true if early data were sent, and the

Re: [PATCH] BUG/MINOR: ssl: fix CO_FL_EARLY_DATA removal with http mode

2017-11-30 Thread Emmanuel Hocdet
Hi Olivier, > Le 29 nov. 2017 à 19:57, Olivier Houchard <ohouch...@haproxy.com> a écrit : > > On Mon, Nov 27, 2017 at 06:19:41PM +0100, Emmanuel Hocdet wrote: >>> Maybe the best is to add a new flag per conn_stream, CS_FL_WAITING_FOR_HS or >>> something, inste

Re: [PATCH] BUG/MINOR: ssl: fix CO_FL_EARLY_DATA removal with http mode

2017-11-29 Thread Emmanuel Hocdet
Hi Willy, Can you consider the first patch (included here). As Olivier said, the fix for ssl_fc_has_early need more works. Can be backported to 1.8 ++ Manu 0001-BUG-MINOR-ssl-CO_FL_EARLY_DATA-removal-is-managed-by.patch Description: Binary data

Re: [BUG] haproxy 1.8-last/master-worker/peers

2017-11-28 Thread Emmanuel Hocdet
Hi Willy, > Le 28 nov. 2017 à 07:33, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu, > > On Mon, Nov 27, 2017 at 06:21:50PM +0100, Emmanuel Hocdet wrote: >> Hi Willy, >> >>> Le 18 nov. 2017 à 12:28, Willy Tarreau <w...@1wt.eu> a écrit : >&

Re: [BUG] haproxy 1.8-last/master-worker/peers

2017-11-27 Thread Emmanuel Hocdet
Hi Willy, > Le 18 nov. 2017 à 12:28, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu, > > On Fri, Nov 17, 2017 at 05:14:11PM +0100, Emmanuel Hocdet wrote: >> In master-worker mode with peers, old worker never died after a reload (kill >> -USR2). >>

Re: [PATCH] BUG/MINOR: ssl: fix CO_FL_EARLY_DATA removal with http mode

2017-11-27 Thread Emmanuel Hocdet
> Le 27 nov. 2017 à 17:52, Olivier Houchard <ohouch...@haproxy.com> a écrit : > > Hi Emmanuel, > > On Mon, Nov 27, 2017 at 05:17:54PM +0100, Emmanuel Hocdet wrote: >> >> Hi, >> >> This patch fix CO_FL_EARLY_DATA removal to have correct ssl_fc_h

[PATCH] BUG/MINOR: ssl: fix CO_FL_EARLY_DATA removal with http mode

2017-11-27 Thread Emmanuel Hocdet
Hi, This patch fix CO_FL_EARLY_DATA removal to have correct ssl_fc_has_early reporting. It work for 'mode http'. It does not fix ssl_fc_has_early for 'mode tcp'. In this mode CO_FL_EARLY_DATA should not be removed if early data was accepted. It is possible to check MODE_TCP in mux_pt_recv? Or

Re: [PATCH] MINOR: ssl: Handle early data with BoringSSL

2017-11-24 Thread Emmanuel Hocdet
Hi Willy, patch rebase from master. ++ Manu 0001-MINOR-ssl-Handle-early-data-with-BoringSSL.patch Description: Binary data

Re: [PATCH] MINOR: ssl: Handle early data with BoringSSL

2017-11-23 Thread Emmanuel Hocdet
simplify patch: no need to bypass post SSL_do_handshake process, only remove CO_FL_EARLY_SSL_HS when handshake can’t support early data. > Le 23 nov. 2017 à 14:14, Emmanuel Hocdet <m...@gandi.net> a écrit : > > Hi, > > This patch manage early data with BoringSSL in s

[PATCH] MINOR: ssl: Handle early data with BoringSSL

2017-11-23 Thread Emmanuel Hocdet
Hi, This patch manage early data with BoringSSL in server mode. It only affect BoringSSL. ++ Manu 0001-MINOR-ssl-Handle-early-data-with-BoringSSL.patch Description: Binary data

[BUG] haproxy 1.8-last/master-worker/peers

2017-11-17 Thread Emmanuel Hocdet
Hi, In master-worker mode with peers, old worker never died after a reload (kill -USR2). Tested without traffic, with/without threads. Without peers, no problems. ++ Manu

Re: HAProxy fails to compile against BoringSSL since 1.8-rc1

2017-11-13 Thread Emmanuel Hocdet
Hi Jamie, you need to take a up to date BoringSSL commit (https://github.com/JayH5/docker-haproxy-boringssl/blob/master/1.8-dev/Dockerfile#L10) ++ Manu > Le 11 nov. 2017 à 16:32, Jamie Hewland a écrit : > > Hi there, > > I maintain a Docker-based build of HAProxy built

Re: [ANNOUNCE] haproxy-1.8-rc1 : the last mile

2017-11-06 Thread Emmanuel Hocdet
Hi Robert, > Le 4 nov. 2017 à 14:33, Robert Newson a écrit : > > It’s only 1.0.1 that’s affected, so I’m inferring that predates support for > serving multiple certificate types; it’s not an haproxy regression. > yes, multiple certificate bundle only work with openssl >= 1.0.2

[PATCH] send-proxy-v2-ssl-crypto parameter

2017-11-02 Thread Emmanuel Hocdet
Hi Willy, This patches implement send-proxy-v2-ssl-crypto to add CIPHER SIG_ALG and KEY_ALG to send-proxy-v2-ssl as describe in proxy-protocol.txt ++ Manu 0001-MINOR-ssl-extract-full-pkey-info-in-load-certificate.patch Description: Binary data

[PATCH] BUG/MINOR: send-proxy-v2

2017-10-31 Thread Emmanuel Hocdet
Hi Willy, I find 2 (old) bugs in send-proxy-v2. Can you consider this patches? ++ Manu 0001-BUG-MINOR-send-proxy-v2-fix-dest_len-in-make_tlv-cal.patch Description: Binary data 0002-BUG-MINOR-send-proxy-v2-string-size-must-include-0.patch Description: Binary data

[PATCH] cleanup and add ALPN to proxy-protocol-v2

2017-10-27 Thread Emmanuel Hocdet
Hi Willy, It’s a serie of patch about proxy-protocol-v2 1) Report #define from doc/proxy-protocol.txt. 2) cleanup after first work on implement SRV_PP_V2_SSL_CRYPTO (send-proxy-v2-ssl-crypto not yet in the serie because add key/hash info need more work) 3) add ALPN information to

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

2017-10-27 Thread Emmanuel Hocdet
> Le 27 oct. 2017 à 15:02, Olivier Houchard a écrit : > > The attached patch does use the ssl_conf, instead of abusing ssl_options. > I also added a new field in global_ssl, I wasn't so sure about this, but > decided people may want to enable 0RTT globally. > > Emmanuel,

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

2017-10-27 Thread Emmanuel Hocdet
> Le 27 oct. 2017 à 11:22, Emmanuel Hocdet <m...@gandi.net> a écrit : > > Hi Olivier > >> Le 27 oct. 2017 à 01:08, Olivier Houchard <ohouch...@haproxy.com> a écrit : >> >> Hi, >> >> You'll find attached updated patches, rebased on the lat

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

2017-10-27 Thread Emmanuel Hocdet
Hi Olivier > Le 27 oct. 2017 à 01:08, Olivier Houchard a écrit : > > Hi, > > You'll find attached updated patches, rebased on the latest master, and on > top of Emmanuel's latest patches (also attached for reference). > This version allows to enable 0RTT per SNI. > It

Re: [PATCH] support Openssl 1.1.1 early callback API for HS

2017-10-25 Thread Emmanuel Hocdet
> Le 25 oct. 2017 à 15:45, Emmanuel Hocdet <m...@gandi.net> a écrit : > > > Hi Olivier, > > >> Le 25 oct. 2017 à 14:57, Olivier Houchard <ohouch...@haproxy.com> a écrit : >> >> On Wed, Oct 25, 2017 at 02:37:58PM +0200, Emmanuel Hocdet wro

Re: [PATCH] support Openssl 1.1.1 early callback API for HS

2017-10-25 Thread Emmanuel Hocdet
Hi Olivier, > Le 25 oct. 2017 à 14:57, Olivier Houchard <ohouch...@haproxy.com> a écrit : > > On Wed, Oct 25, 2017 at 02:37:58PM +0200, Emmanuel Hocdet wrote: >> Hi, >> >> . patches serie rebase from master >> . update openssl 1.1.1 api calls

Re: [PATCH] support Openssl 1.1.1 early callback API for HS

2017-10-25 Thread Emmanuel Hocdet
Hi,. patches serie rebase from master . update openssl 1.1.1 api calls with new early callback name(https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html)Le 4 sept. 2017 à 16:39, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Emeric, ChristopherIf you can review when yo

Re: [PATCH] MINOR: ssl: build with recent BoringSSL library

2017-10-25 Thread Emmanuel Hocdet
> Le 24 oct. 2017 à 19:59, Willy Tarreau <w...@1wt.eu> a écrit : > > On Tue, Oct 24, 2017 at 06:58:43PM +0200, Emmanuel Hocdet wrote: >> It's in #ifdef BORINGSSL and it's an old BoringSSL API call moved to an >> openssl 1.1.0 compat API call. >> It's reall

Re: [PATCH] MINOR: ssl: build with recent BoringSSL library

2017-10-24 Thread Emmanuel Hocdet
> Le 24 oct. 2017 à 18:47, Willy Tarreau <w...@1wt.eu> a écrit : > > On Tue, Oct 24, 2017 at 06:26:26PM +0200, Emmanuel Hocdet wrote: >> okay, patch split in 2 parts :) >> >> 1) support OPENSSL_NO_ASYNC #define >> 2) BoringSSL switch OPENSSL_VERSION_NUMBE

Re: [PATCH] MINOR: ssl: build with recent BoringSSL library

2017-10-24 Thread Emmanuel Hocdet
> Le 24 oct. 2017 à 18:04, Emmanuel Hocdet <m...@gandi.net> a écrit : > > Hi Willy > >> Le 22 oct. 2017 à 10:02, Willy Tarreau <w...@1wt.eu> a écrit : >> >> On Tue, Oct 10, 2017 at 06:35:49PM +0200, Emmanuel Hocdet wrote: >>> Hi, >&g

Re: [PATCH] MINOR: ssl: build with recent BoringSSL library

2017-10-24 Thread Emmanuel Hocdet
Hi Willy > Le 22 oct. 2017 à 10:02, Willy Tarreau <w...@1wt.eu> a écrit : > > On Tue, Oct 10, 2017 at 06:35:49PM +0200, Emmanuel Hocdet wrote: >> Hi, >> >> BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. >> This patch fix Bori

Re: Fix building haproxy with recent LibreSSL

2017-10-24 Thread Emmanuel Hocdet
> Le 3 août 2017 à 10:07, Willy Tarreau a écrit : > > Hi Bernard, > > I'm CCing Emeric since this affects SSL. I have some comments below. > > On Tue, Jul 25, 2017 at 05:03:10PM +0200, Bernard Spil wrote: > >> --- src/ssl_sock.c.orig 2017-06-02 13:59:51 UTC >> +++

Re: [PATCH] MINOR: ssl: ocsp response with 'revoked' status is correct

2017-10-24 Thread Emmanuel Hocdet
Hi Sander, > Le 23 oct. 2017 à 11:00, Sander Hoentjen <san...@hoentjen.eu> a écrit : > > Hi Willy, > > > On 10/22/2017 10:02 AM, Willy Tarreau wrote: >> Hi Manu, >> >> On Tue, Oct 10, 2017 at 03:44:07PM +0200, Emmanuel Hocdet wrote: >>>

[PATCH] MINOR: ssl: build with recent BoringSSL library

2017-10-10 Thread Emmanuel Hocdet
Hi, BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. This patch fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat. ++ Manu 0001-MINOR-ssl-build-with-recent-BoringSSL-library.patch Description: Binary data

[PATCH] MINOR: ssl: ocsp response with 'revoked' status is correct

2017-10-10 Thread Emmanuel Hocdet
Hi Emeric, ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status is a correct status and ocsp response should not be dropped. In case of certificate with OCSP must-stapling extension, response with 'revoked' status must be provided as well as 'good' status. ++ Manu

Re: [PATCHES][ssl] Add 0-RTT support with OpenSSL 1.1.1

2017-10-03 Thread Emmanuel Hocdet
Hi Olivier, Great to see a version of more ‘secure’ 0-RTT implementation. > Le 2 oct. 2017 à 17:18, Olivier Houchard a écrit : > > Hi, > > The attached patches add experimental support for 0-RTT with OpenSSL 1.1.1 > They are based on Emmanuel's previous patches, so I'm

Re: Kernel TLS for http/2

2017-09-15 Thread Emmanuel Hocdet
Hi, > Le 14 sept. 2017 à 19:34, Lukas Tribus a écrit : > > Hello, > > > Am 05.09.2017 um 10:00 schrieb Willy Tarreau: >> >> As I already mentionned (I don't remember to whom), I really don't see *any* >> benefit in this approach and only problems in fact. By the way, others

regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"

2017-09-06 Thread Emmanuel Hocdet
Hi, server configuration now break with: cfg sample: listen tls […] server bla 127.0.0.1:8080 [ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server bla' : no method found to resolve address '(null)' [ALERT] 248/130258 (21960) : Failed to initialize server(s) addr.

Re: [PATCH] support Openssl 1.1.1 early callback API for HS

2017-09-06 Thread Emmanuel Hocdet
Hi Willy, > Le 5 sept. 2017 à 10:11, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu, > > On Mon, Sep 04, 2017 at 04:39:45PM +0200, Emmanuel Hocdet wrote: >> Hi Emeric, Christopher >> >> If you can review when you have time. (3) for Christopher. >&

Re: [PATCH] support Openssl 1.1.1 early callback API for HS

2017-09-04 Thread Emmanuel Hocdet
order of processing between things like session resumption and the historical servername callback." > Le 4 sept. 2017 à 16:39, Emmanuel Hocdet <m...@gandi.net> a écrit : > > Hi Emeric, Christopher > > If you can review when you have time. (3) for Christopher. > >

[PATCH] support Openssl 1.1.1 early callback API for HS

2017-09-04 Thread Emmanuel Hocdet
Hi Emeric, Christopher If you can review when you have time. (3) for Christopher. This patches allows to support native multicert selection (RSA/ECDSA) and ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the only one to support this until this patch). patches: 1)

[PATCH] MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use

2017-09-01 Thread Emmanuel Hocdet
Hi Thierry, This patch is related to « Capturing browser TLS cipher suites » thread. I think it will be match the initial need but without internal ssl structure usage and. work with openssl 1.0.2 to 1.1.1 and boringssl. ++ Manu

Re: [PATCH] MINOR: ssl: remove duplicate ssl_methods in struct bind_conf

2017-09-01 Thread Emmanuel Hocdet
Hi Willy, Emeric Can you consider it? ++ Manu > Le 9 août 2017 à 19:07, Emmanuel Hocdet <m...@gandi.net> a écrit : > > Hi Willy, > > Patch is not related to openssl version x. It’s a internal structure cleanup. > I don’t label it as CLEANUP because it remove a po

[PATCH] BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2

2017-08-11 Thread Emmanuel Hocdet
Hi Christopher, Willy SSL_CTX_get0_privatekey in openssl-compat.h can’t work because internal structure usage. Christopher, your original workaround is the only way i see. Patch to fix that: ++ Manu 0001-BUILD-ssl-replace-SSL_CTX_get0_privatekey-for-openss.patch Description: Binary data

[PATCH] MINOR: ssl: remove duplicate ssl_methods in struct bind_conf

2017-08-09 Thread Emmanuel Hocdet
Hi Willy, Patch is not related to openssl version x. It’s a internal structure cleanup. I don’t label it as CLEANUP because it remove a potential source of errors (this is debatable). If you can consider it. Thanks. Manu 0001-MINOR-ssl-remove-duplicate-ssl_methods-in-struct-bin.patch

Re: error at build time In function 'SSL_CTX_get0_privatekey' error: dereferencing pointer to incomplete type

2017-08-09 Thread Emmanuel Hocdet
Hi Aleksandar, > Le 9 août 2017 à 13:39, Aleksandar Lazic a écrit : > > Hi, > > Today I have tried to recreate the WAF. > > I received this error at build time. > > ### > + cd /usr/src > + git clone http://git.haproxy.org/git/haproxy.git/ > Cloning into 'haproxy'... > +

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-08-09 Thread Emmanuel Hocdet
Le 9 août 2017 à 11:13, Willy Tarreau <w...@1wt.eu> a écrit :On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote:Le 9 août 2017 à 08:37, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:Hi Willy, Emeric, Christ

  1   2   3   >