Hi,
Hi there,
I'm running haproxy 1.5.12 and I have set 'ssl-default-bind-options
no-sslv3 no-tlsv10' (without the quotes of course) under the global
section as I want all my front-ends not to support SSLv3 or TLS1.0.
However I do have a client that still requires SSLv3 support (for
Hi there,
I'm running haproxy 1.5.12 and I have set
'ssl-default-bind-options no-sslv3 no-tlsv10' (without the quotes
of course) under the global section as I want all my front-ends
not to support SSLv3 or TLS1.0.
However I do have a client
On Thu, Jul 02, 2015 at 10:45:32PM +0200, Cyril Bonté wrote:
All chapters in the configuration documentation used to follow this syntax :
chapter number. title
-
(...)
Applied, thanks Cyril!
Willy
Hello,
We experienced a specific behaviour with HAProxy (1.5.12) and would like to
share what happened, and see what can be done.
Simplified configuration :
defaults
default-server maxconn 2000
backlog 16384
listen webcustomer:80
id 12
balance source
hash-type consistent
hi there,
while downloading the latest release, i was wondering why i only got
10kb/s while getting the tarball...
i rechecked and saw that the performance was ok using ipv4, but very
poor for ipv6 (the records seem to point to different machines btw.)
wget with ipv4:
2015-07-03 18:15:45
Hi, just to let you know changelog is missing 1.5.14 infos ;)
great job by the way !
On Fri, 3 Jul 2015 17:55:56 +0200,
Willy Tarreau w...@1wt.eu wrote :
Changelog: http://www.haproxy.org/download/1.5/src/CHANGELOG
--
Marc-Antoine
On Fri, Jul 03, 2015 at 08:09:34AM +0200, Marco Corte wrote:
Il 26/06/2015 15:57, Willy Tarreau ha scritto:
Another one is an issue that was reported in 1.5.12
with peers trying to immediately reconnect upon error and eating a lot
of CPU.
Both peers in that cluster are running 1.5.13 and I
On Thu, Jul 02, 2015 at 09:36:28AM +0200, Pavlos Parissis wrote:
On 26/06/2015 03:57 , Willy Tarreau wrote:
Hi,
as promise, here comes 1.5.13. It's been 1.5 months already since 1.5.12
and my misleading announce of the backport of peers support for nbproc :-)
You forgot to
Hi, just to let you know changelog is missing 1.5.14 infos ;)
Its there, its probably just cached in your browser (try ctrl+shift+R).
Lukas
Hi Sebastian,
On Fri, Jul 03, 2015 at 06:31:04PM +0200, Sebastian Schubert wrote:
hi there,
while downloading the latest release, i was wondering why i only got
10kb/s while getting the tarball...
i rechecked and saw that the performance was ok using ipv4, but very
poor for ipv6 (the
Hi all,
This week, Charlie Smurthwaite reported a bug in haproxy 1.5 affecting
SVN in pipeline mode. After a long debugging session and many very
detailed traces Charlie provided, we found the bug and it has even more
serious impacts than initially thought. To make a long story short,
with the
On Fri, Jul 03, 2015 at 02:09:10PM +0200, KOVACS Krisztian wrote:
Until now, the code assumed that it can get the offset to the first TLV
header just by subtracting the length of the TLV part from the length of
the complete buffer. However, if the buffer contains actual data after
the header,
Thanks Lukas,
So its either SSLv3 is enable for all, or its disable for all?
No, you can disable it per bind line, only that you need to
do it the other way around, specifying no-sslv3 on all other
bind lines, not the one where you need sslv3 (and not in the
defaults).
Lukas
Dear Sir or Madam,
Nice day!
This is Taurin from SINOTEC INDUSTRIAL GROUP CO.,LTD, a professional and
leading Chemicals manufacturer in China, since 1994.
We have big advantages in the following products,
SLES - Sodium Lauryl Ether Sulfate;
LABSA - Linear Alkyl Benzene Sulphonic Acid;
Thanks Lukas,
So its either SSLv3 is enable for all, or its disable for all?
Is there a way to have SSLv3 enabled for one backend only?
- Travis
On 4/07/2015 1:01 am, Lukas Tribus wrote:
Hi,
Hi there,
I'm running haproxy 1.5.12 and I have set 'ssl-default-bind-options
no-sslv3
Why want to use our DHL account?
Our DHL account proivde lowwerChina DHL ratesthan your DHL account
We can pick up anywhere in China, Chinese DHL only can pick up from big cities in China
We ready all documents to both DHL and destination customs cleaance.
We colloect from different place
That should have read:
The capture shows that there is *no* SNI emitted by the client. I think your
node.js SNI tests was bogus, and that curl doesn't properly support SNI
*if* the crypto library is SecureTransport instead of openssl, gnutls or
cyassl.
Try: curl https://sni.velox.ch/ -k
You will see that SNI doesn't work with this client.
Also see:
https://mumble.org.uk/blog/2014/03/12/gpg-and-openssl-and-curl-and-osx/
I'm a little confused... because I see that you're correct about
https://sni.velox.ch in that I see an error message
Yep, it's OS X curl.
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1
SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap
ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
The big question is why does curl on mac somethimes send the SNI value
and sometimes not?
Maybe it has someting todo with the -k/--insecure argument?
Which certificate are you getting if you do:
curl --insecure https://coolaj86.com
BINGO!
Ugh... well, at least some half-decent
Il 26/06/2015 15:57, Willy Tarreau ha scritto:
Another one is an issue that was reported in 1.5.12
with peers trying to immediately reconnect upon error and eating a lot
of CPU.
Both peers in that cluster are running 1.5.13 and I do not see the
behaviour any more.
Thank you!
.marcoc
sudo tcpdump -ps0 -i eth0 -w eth0.64443.cap tcp port 64443
And then this on my Yosemite Mac
curl
--insecure https://baz.example.com:64443https://baz.example.com:64443/
And here's the result
The capture shows that there is now SNI emitted by the client. I think your
Hi,
Le 03/07/2015 04:26, AJ ONeal (Home) a écrit :
Sounds like that client hello from curl@mac looks different
than we expect, therefor SNI parsing fails. Can you provide
the same tcpdump captures again, this time from the mac
curl client that fails?
I ran this on the server
=DearSir,Areyouinterestingledbulbs? =20
Weareprofessionalledhighbaymanuf=actureinChina,
ourle=dhighbayhavepassedCE,ROHSandULcertification,canprovide3yea=rswarranties,detailsyoucanfindbelowinformation,anymoreinform=ation,pleasesendmeemailswith95%discount.
Seu cliente de e-mail não pode ler este e-mail.
Para visualizá-lo on-line, por favor, clique aqui:
http://comprasnoparaguay23.net/display.php?M=426C=0756d1e8cdaf638b4892e93319565405S=6L=1N=1
Para parar de receber nossos
Until now, the code assumed that it can get the offset to the first TLV
header just by subtracting the length of the TLV part from the length of
the complete buffer. However, if the buffer contains actual data after
the header, this computation is flawed and leads to haproxy trying to
parse TLV
26 matches
Mail list logo
