> Le 18 juin 2018 à 15:54, Thierry Fournier a
> écrit :
>
> I don’t known. In fact it works, so it is not a bug. But, when I use the
> reservation for an ex_data slot, it returns the slot 0, and this slot is
> used for the compatibility layer and can be crush some data. I conclude
> that is a
> Le 18 juin 2018 à 15:30, Thierry Fournier a
> écrit :
>
>
>
>> On 18 Jun 2018, at 14:37, Emmanuel Hocdet wrote:
>>
>>>
>>> Le 18 juin 2018 à 10:43, Thierry Fournier a
>>> écrit :
>>>
>>>
>>>> On 1
> Le 18 juin 2018 à 10:43, Thierry Fournier a
> écrit :
>
>
>> On 18 Jun 2018, at 10:33, Willy Tarreau wrote:
>>
>> On Sun, Jun 17, 2018 at 09:44:50PM +0200, thierry.fourn...@arpalert.org
>> wrote:
>>> Finally, I got it ! It works with luck because we have 1 bug in Haproxy
>>> and 1 error
> Le 18 juin 2018 à 11:49, Emmanuel Hocdet a écrit :
>
>
> Hi Thierry, Willy
>
>> Le 18 juin 2018 à 10:43, Thierry Fournier a
>> écrit :
>>
>> Yes, including the Friday :-) But I hope this path improve stability. If
>> someone
>> ha
Hi Thierry, Willy
> Le 18 juin 2018 à 10:43, Thierry Fournier a
> écrit :
>
>
>> On 18 Jun 2018, at 10:33, Willy Tarreau wrote:
>>
>> On Sun, Jun 17, 2018 at 09:44:50PM +0200, thierry.fourn...@arpalert.org
>> wrote:
>>> Finally, I got it ! It works with luck because we have 1 bug in Hapro
> Le 24 mai 2018 à 09:21, Hervé Commowick a
> écrit :
>
> I didn't know about the curves parameter, and i don't see performance
> regression with it. I don't really understand why this kind of parameter
> can influence certs loading time.
>
I don't know really why either.
"ecdhe" uses EC_KEY_
Hi Hervé,
> Le 22 mai 2018 à 10:31, Hervé Commowick a
> écrit :
>
> Hello HAProxy ML,
>
> I tracked down a performance regression about loading bunch of
> certificates, at least 3x to 5x more time for loading 10 certs since
> this commit
> http://git.haproxy.org/?p=haproxy-1.8.git;a=commit
Hi Emeric,
> Le 18 avr. 2018 à 14:21, Emeric Brun a écrit :
>
> On 04/16/2018 02:30 PM, Dmitry Sivachenko wrote:
>>
>>> On 07 Apr 2018, at 17:38, Emmanuel Hocdet wrote:
>>>
>>>
>>> I Andy
>>>
>>>> Le 31 mars 2018 à 16:
I Andy
> Le 31 mars 2018 à 16:43, Andy Postnikov a écrit :
>
> I used to rework previous patch from Alpinelinux to build with latest stable
> libressl
> But found no way to run tests with openssl which is primary library as I see
> Is it possible to accept the patch upstream or get review on i
Hi Willy,
> Le 21 mars 2018 à 05:09, Willy Tarreau a écrit :
>
> On Tue, Mar 20, 2018 at 02:40:41PM +0100, Emmanuel Hocdet wrote:
>> Thank you for taking the time to review.
>
> OK patch now applied, thanks. Since you added a new hash algo, it could
> be nice to create
Hi Willy,Le 19 mars 2018 à 12:38, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Mon, Feb 05, 2018 at 05:10:05PM +0100, Emmanuel Hocdet wrote:Hi,Series of patches to support CRC32c checksum to proxy protocol v2 header(as describe in "doc/proxy-protocol.txt »). add hash_crc32c fu
Hi Willy,
Since patches "[PATCH] proxy-v2-options ssl-cipher,cert-sig,cert-key,authority
» are merged,
these could be considered.
++
Manu
> Le 5 févr. 2018 à 17:10, Emmanuel Hocdet a écrit :
>
> Hi,
>
> Series of patches to support CRC32c checksum to proxy protocol v2 h
Hi Willy,
> Le 1 mars 2018 à 07:00, Willy Tarreau a écrit :
>
> Hi Manu,
>
> this series is giving me two build warnings :
>
> src/ssl_sock.c: In function 'ssl_sock_load_multi_cert':
> src/ssl_sock.c:3143:3: warning: ISO C90 forbids mixed declarations and code
> [-Wdeclaration-after-statement
Hi,
Update patches with minor fix related to null-termated string.
> Le 2 févr. 2018 à 14:44, Emmanuel Hocdet a écrit :
>
>
> Hi,
>
> Series of patches to add proxy protocol v2 options related to tls informations
> (see doc/proxy-protocol.txt).
> . ssl-cipher
Hi,
As discussed with Willy. 82913e4f must be reverted.
This should be backported to 1.8.
++
Manu
0001-Revert-BUG-MINOR-send-proxy-v2-string-size-must-incl.patch
Description: Binary data
Hi Willy
> Le 27 févr. 2018 à 15:57, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Mon, Feb 26, 2018 at 12:31:13PM +0100, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> According to openssl documentation: "SSL_get0_alpn_selected() returns
>> a pointe
Hi,
According to openssl documentation: "SSL_get0_alpn_selected() returns
a pointer to the selected protocol in data with length len. It is not
NUL-terminated". It consern ssl_sock_get_alpn and smp_fetch_ssl_fc_alpn
functions and impact send-proxy-v2 with alpn. The expected get is not
an array of
Hi Olivier
> Le 13 févr. 2018 à 15:27, Olivier Houchard a écrit :
>
> Thanks a lot for the detailed analyze, and sorry for the late answer.
> You're probably right, SSL_ERROR_SYSCALL shouldn't be treated as an
> unrecoverable error.
> So, what you basically did was something equivalent to the pa
Hi,Series of patches to support CRC32c checksum to proxy protocol v2 header(as describe in "doc/proxy-protocol.txt »). add hash_crc32c function. add « crc32c » option to proxy-v2-options. check crc32c checksum when CRC32C tlv is received.note: git format-patch is done with "[PATCH] proxy-v2-options
Hi Aleks,
> Le 2 févr. 2018 à 20:46, Aleksandar Lazic a écrit :
>
> Hi Manu.
>
> Am 02-02-2018 10:49, schrieb Emmanuel Hocdet:
>> Hi Aleks
>>> Le 1 févr. 2018 à 23:34, Aleksandar Lazic a écrit :
>>> Hi.
>>> ------ Originalnachricht ---
Hi,
Series of patches to add proxy protocol v2 options related to tls informations
(see doc/proxy-protocol.txt).
. ssl-cipher (PP2_SUBTYPE_SSL_CIPHER)
. cert-sig (PP2_SUBTYPE_SSL_SIG_ALG)
. cert-key (PP2_SUBTYPE_SSL_KEY_ALG)
. authority (PP2_TYPE_AUTHORITY) - aka SNI
++
Manu
0001-MINOR-
Hi Aleks
> Le 1 févr. 2018 à 23:34, Aleksandar Lazic a écrit :
>
> Hi.
>
> -- Originalnachricht --
> Von: "Emmanuel Hocdet"
> An: "haproxy"
> Gesendet: 01.02.2018 17:54:46
> Betreff: [PATCH] MINOR: introduce proxy-v2-options for send
Hi,It’s patch introduce proxy-v2-options for send-proxy-v2.Goal is to add more options from doc/proxy-protocol.txt, especially all TLS informations related to security.++Manu
0001-MINOR-introduce-proxy-v2-options-for-send-proxy-v2.patch
Description: Binary data
> Le 12 janv. 2018 à 15:23, Aleksandar Lazic a écrit :
>
>
> -- Originalnachricht --
> Von: "Willy Tarreau"
> An: "Emmanuel Hocdet"
> Cc: "haproxy"
> Gesendet: 12.01.2018 13:04:02
> Betreff: Re: [BUG] 100% cpu on each threads
> Le 12 janv. 2018 à 15:24, Willy Tarreau a écrit :
>
> On Fri, Jan 12, 2018 at 12:01:15PM +0100, Emmanuel Hocdet wrote:
>> When syndrome appear, i see such line on syslog:
>> (for one or all servers)
>>
>> Server tls/L7_1 is DOWN, reason: Layer4 co
Hi Willy
> Le 12 janv. 2018 à 11:38, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Fri, Jan 12, 2018 at 11:14:57AM +0100, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> with 1.8.3 + threads (with mworker)
>> I notice a 100% cpu per thread ( epool_wait
Hi,
with 1.8.3 + threads (with mworker)
I notice a 100% cpu per thread ( epool_wait + gettimeofday in loop)
Syndrome appears regularly on start/reload.
My configuration include one bind line with ssl on tcp mode.
It's a know issue?
++
Manu
> Le 30 nov. 2017 à 13:34, Olivier Houchard a écrit :
>
> Hi Emmanuel,
>
> On Thu, Nov 30, 2017 at 12:15:37PM +0100, Emmanuel Hocdet wrote:
>> Hi Olivier,
>>
>>> Le 29 nov. 2017 à 19:57, Olivier Houchard a écrit :
>>>
>>> On Mon, N
> Le 30 nov. 2017 à 12:15, Emmanuel Hocdet a écrit :
>
> In this case, i don’t understand the interest of ssl_fc_has_early.
>
> looking at the documentation
> ssl_fc_has_early : boolean
> Returns true if early data were sent, and the handshake didn't happen yet.
Hi Olivier,
> Le 29 nov. 2017 à 19:57, Olivier Houchard a écrit :
>
> On Mon, Nov 27, 2017 at 06:19:41PM +0100, Emmanuel Hocdet wrote:
>>> Maybe the best is to add a new flag per conn_stream, CS_FL_WAITING_FOR_HS or
>>> something, instead of relying on CO_FL_EARLY_DAT
Hi Willy,
Can you consider the first patch (included here).
As Olivier said, the fix for ssl_fc_has_early need more works.
Can be backported to 1.8
++
Manu
0001-BUG-MINOR-ssl-CO_FL_EARLY_DATA-removal-is-managed-by.patch
Description: Binary data
Hi Willy,
> Le 28 nov. 2017 à 07:33, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Mon, Nov 27, 2017 at 06:21:50PM +0100, Emmanuel Hocdet wrote:
>> Hi Willy,
>>
>>> Le 18 nov. 2017 à 12:28, Willy Tarreau a écrit :
>>>
>>> Hi Manu,
>&
Hi Willy,
> Le 18 nov. 2017 à 12:28, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Fri, Nov 17, 2017 at 05:14:11PM +0100, Emmanuel Hocdet wrote:
>> In master-worker mode with peers, old worker never died after a reload (kill
>> -USR2).
>>
>> Teste
> Le 27 nov. 2017 à 17:52, Olivier Houchard a écrit :
>
> Hi Emmanuel,
>
> On Mon, Nov 27, 2017 at 05:17:54PM +0100, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> This patch fix CO_FL_EARLY_DATA removal to have correct ssl_fc_has_early
>> reporting. It
Hi,
This patch fix CO_FL_EARLY_DATA removal to have correct ssl_fc_has_early
reporting. It work for 'mode http'.
It does not fix ssl_fc_has_early for 'mode tcp'. In this mode CO_FL_EARLY_DATA
should not be removed if early data was accepted.
It is possible to check MODE_TCP in mux_pt_recv? Or th
Hi Willy,
patch rebase from master.
++
Manu
0001-MINOR-ssl-Handle-early-data-with-BoringSSL.patch
Description: Binary data
simplify patch:
no need to bypass post SSL_do_handshake process, only remove CO_FL_EARLY_SSL_HS
when handshake can’t support early data.
> Le 23 nov. 2017 à 14:14, Emmanuel Hocdet a écrit :
>
> Hi,
>
> This patch manage early data with BoringSSL in server mode.
> It onl
Hi,
This patch manage early data with BoringSSL in server mode.
It only affect BoringSSL.
++
Manu
0001-MINOR-ssl-Handle-early-data-with-BoringSSL.patch
Description: Binary data
Hi,
In master-worker mode with peers, old worker never died after a reload (kill
-USR2).
Tested without traffic, with/without threads.
Without peers, no problems.
++
Manu
Hi Jamie,
you need to take a up to date BoringSSL commit
(https://github.com/JayH5/docker-haproxy-boringssl/blob/master/1.8-dev/Dockerfile#L10)
++
Manu
> Le 11 nov. 2017 à 16:32, Jamie Hewland a écrit :
>
> Hi there,
>
> I maintain a Docker-based build of HAProxy built against BoringSSL, tr
Hi Robert,
> Le 4 nov. 2017 à 14:33, Robert Newson a écrit :
>
> It’s only 1.0.1 that’s affected, so I’m inferring that predates support for
> serving multiple certificate types; it’s not an haproxy regression.
>
yes, multiple certificate bundle only work with openssl >= 1.0.2
> I’ve faile
Hi Willy,
This patches implement send-proxy-v2-ssl-crypto to add CIPHER
SIG_ALG and KEY_ALG to send-proxy-v2-ssl as describe in proxy-protocol.txt
++
Manu
0001-MINOR-ssl-extract-full-pkey-info-in-load-certificate.patch
Description: Binary data
0002-MINOR-ssl-add-ssl_sock_get_pkey_algo-func
Hi Willy,
I find 2 (old) bugs in send-proxy-v2.
Can you consider this patches?
++
Manu
0001-BUG-MINOR-send-proxy-v2-fix-dest_len-in-make_tlv-cal.patch
Description: Binary data
0002-BUG-MINOR-send-proxy-v2-string-size-must-include-0.patch
Description: Binary data
Hi Willy,
It’s a serie of patch about proxy-protocol-v2
1) Report #define from doc/proxy-protocol.txt.
2) cleanup after first work on implement SRV_PP_V2_SSL_CRYPTO
(send-proxy-v2-ssl-crypto
not yet in the serie because add key/hash info need more work)
3) add ALPN information to send-prox
> Le 27 oct. 2017 à 15:02, Olivier Houchard a écrit :
>
> The attached patch does use the ssl_conf, instead of abusing ssl_options.
> I also added a new field in global_ssl, I wasn't so sure about this, but
> decided people may want to enable 0RTT globally.
>
> Emmanuel, is this ok for you ?
>
> Le 27 oct. 2017 à 11:22, Emmanuel Hocdet a écrit :
>
> Hi Olivier
>
>> Le 27 oct. 2017 à 01:08, Olivier Houchard a écrit :
>>
>> Hi,
>>
>> You'll find attached updated patches, rebased on the latest master, and on
>> top of Emmanuel
Hi Olivier
> Le 27 oct. 2017 à 01:08, Olivier Houchard a écrit :
>
> Hi,
>
> You'll find attached updated patches, rebased on the latest master, and on
> top of Emmanuel's latest patches (also attached for reference).
> This version allows to enable 0RTT per SNI.
> It unfortunately still can't
> Le 25 oct. 2017 à 15:45, Emmanuel Hocdet a écrit :
>
>
> Hi Olivier,
>
>
>> Le 25 oct. 2017 à 14:57, Olivier Houchard a écrit :
>>
>> On Wed, Oct 25, 2017 at 02:37:58PM +0200, Emmanuel Hocdet wrote:
>>> Hi,
>>>
>>> . patches
Hi Olivier,
> Le 25 oct. 2017 à 14:57, Olivier Houchard a écrit :
>
> On Wed, Oct 25, 2017 at 02:37:58PM +0200, Emmanuel Hocdet wrote:
>> Hi,
>>
>> . patches serie rebase from master
>> . update openssl 1.1.1 api calls with new early callback name
>>
Hi,. patches serie rebase from master . update openssl 1.1.1 api calls with new early callback name(https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html)Le 4 sept. 2017 à 16:39, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Emeric, ChristopherIf you can review when yo
> Le 24 oct. 2017 à 19:59, Willy Tarreau a écrit :
>
> On Tue, Oct 24, 2017 at 06:58:43PM +0200, Emmanuel Hocdet wrote:
>> It's in #ifdef BORINGSSL and it's an old BoringSSL API call moved to an
>> openssl 1.1.0 compat API call.
>> It's really part
> Le 24 oct. 2017 à 18:47, Willy Tarreau a écrit :
>
> On Tue, Oct 24, 2017 at 06:26:26PM +0200, Emmanuel Hocdet wrote:
>> okay, patch split in 2 parts :)
>>
>> 1) support OPENSSL_NO_ASYNC #define
>> 2) BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for com
> Le 24 oct. 2017 à 18:04, Emmanuel Hocdet a écrit :
>
> Hi Willy
>
>> Le 22 oct. 2017 à 10:02, Willy Tarreau a écrit :
>>
>> On Tue, Oct 10, 2017 at 06:35:49PM +0200, Emmanuel Hocdet wrote:
>>> Hi,
>>>
>>> BoringSSL switch OPENSSL_
Hi Willy
> Le 22 oct. 2017 à 10:02, Willy Tarreau a écrit :
>
> On Tue, Oct 10, 2017 at 06:35:49PM +0200, Emmanuel Hocdet wrote:
>> Hi,
>>
>> BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility.
>> This patch fix BoringSSL call and openssl-comp
> Le 3 août 2017 à 10:07, Willy Tarreau a écrit :
>
> Hi Bernard,
>
> I'm CCing Emeric since this affects SSL. I have some comments below.
>
> On Tue, Jul 25, 2017 at 05:03:10PM +0200, Bernard Spil wrote:
>
>> --- src/ssl_sock.c.orig 2017-06-02 13:59:51 UTC
>> +++ src/ssl_sock.c
>> @@ -5
Hi Sander,
> Le 23 oct. 2017 à 11:00, Sander Hoentjen a écrit :
>
> Hi Willy,
>
>
> On 10/22/2017 10:02 AM, Willy Tarreau wrote:
>> Hi Manu,
>>
>> On Tue, Oct 10, 2017 at 03:44:07PM +0200, Emmanuel Hocdet wrote:
>>> Hi Emeric,
>>>
>
Hi,
BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility.
This patch fix BoringSSL call and openssl-compat.h/#define occordingly.
This will not break openssl/libressl compat.
++
Manu
0001-MINOR-ssl-build-with-recent-BoringSSL-library.patch
Description: Binary data
Hi Emeric,
ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
is a correct status and ocsp response should not be dropped.
In case of certificate with OCSP must-stapling extension, response with
'revoked' status must be provided as well as 'good' status.
++
Manu
0001-MINOR-
Hi Olivier,
Great to see a version of more ‘secure’ 0-RTT implementation.
> Le 2 oct. 2017 à 17:18, Olivier Houchard a écrit :
>
> Hi,
>
> The attached patches add experimental support for 0-RTT with OpenSSL 1.1.1
> They are based on Emmanuel's previous patches, so I'm submitting them again,
>
Hi,
> Le 14 sept. 2017 à 19:34, Lukas Tribus a écrit :
>
> Hello,
>
>
> Am 05.09.2017 um 10:00 schrieb Willy Tarreau:
>>
>> As I already mentionned (I don't remember to whom), I really don't see *any*
>> benefit in this approach and only problems in fact. By the way, others have
>> attempted
Hi,
server configuration now break with:
cfg sample:
listen tls
[…]
server bla 127.0.0.1:8080
[ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server bla'
: no method found to resolve address '(null)'
[ALERT] 248/130258 (21960) : Failed to initialize server(s) addr.
+
Hi Willy,
> Le 5 sept. 2017 à 10:11, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Mon, Sep 04, 2017 at 04:39:45PM +0200, Emmanuel Hocdet wrote:
>> Hi Emeric, Christopher
>>
>> If you can review when you have time. (3) for Christopher.
>>
>> Th
er of processing between things like session resumption and the
historical servername callback."
> Le 4 sept. 2017 à 16:39, Emmanuel Hocdet a écrit :
>
> Hi Emeric, Christopher
>
> If you can review when you have time. (3) for Christopher.
>
> This patches all
Hi Emeric, Christopher
If you can review when you have time. (3) for Christopher.
This patches allows to support native multicert selection (RSA/ECDSA) and
ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the
only
one to support this until this patch).
patches:
1) Conver
Hi Thierry,
This patch is related to « Capturing browser TLS cipher suites » thread.
I think it will be match the initial need but without internal ssl structure
usage and.
work with openssl 1.0.2 to 1.1.1 and boringssl.
++
Manu
0001-MINOR-ssl-rework-smp_fetch_ssl_fc_cl_str-without-int.patch
Hi Willy, Emeric
Can you consider it?
++
Manu
> Le 9 août 2017 à 19:07, Emmanuel Hocdet a écrit :
>
> Hi Willy,
>
> Patch is not related to openssl version x. It’s a internal structure cleanup.
> I don’t label it as CLEANUP because it remove a potential source of
Hi Christopher, Willy
SSL_CTX_get0_privatekey in openssl-compat.h can’t work because internal
structure usage.
Christopher, your original workaround is the only way i see.
Patch to fix that:
++
Manu
0001-BUILD-ssl-replace-SSL_CTX_get0_privatekey-for-openss.patch
Description: Binary data
Hi Willy,
Patch is not related to openssl version x. It’s a internal structure cleanup.
I don’t label it as CLEANUP because it remove a potential source of errors
(this is debatable).
If you can consider it.
Thanks.
Manu
0001-MINOR-ssl-remove-duplicate-ssl_methods-in-struct-bin.patch
Descrip
Hi Aleksandar,
> Le 9 août 2017 à 13:39, Aleksandar Lazic a écrit :
>
> Hi,
>
> Today I have tried to recreate the WAF.
>
> I received this error at build time.
>
> ###
> + cd /usr/src
> + git clone http://git.haproxy.org/git/haproxy.git/
> Cloning into 'haproxy'...
> + make -C /usr/src/hapr
Le 9 août 2017 à 11:13, Willy Tarreau <w...@1wt.eu> a écrit :On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote:Le 9 août 2017 à 08:37, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:Hi Willy, Emeric, Christ
> Le 9 août 2017 à 08:37, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:
>> Hi Willy, Emeric, Christopher
>>
>> The new patch is much simpler:
>
>> From f2918c87910f3ba18a2536eee5f4b95
Hi Willy, Emeric, Christopher
The new patch is much simpler:
++
Manu
0001-MINOR-ssl-allow-to-start-without-certificate-if-stri.patch
Description: Binary data
> Le 28 juil. 2017 à 23:24, Willy Tarreau a écrit :
>
> On Fri, Jul 28, 2017 at 07:17:24PM +0200, Emmanuel Hocdet wro
> Le 28 juil. 2017 à 18:43, Willy Tarreau a écrit :
>
> On Fri, Jul 28, 2017 at 06:01:10PM +0200, Emmanuel Hocdet wrote:
>>
>>> Le 28 juil. 2017 à 17:48, Emmanuel Hocdet a écrit :
>>> I propose:
>>> strict_sni is set and generated_cert is not s
> Le 28 juil. 2017 à 17:48, Emmanuel Hocdet a écrit :
>
>>
>> Le 28 juil. 2017 à 17:13, Willy Tarreau a écrit :
>>
>> On Fri, Jul 28, 2017 at 05:04:16PM +0200, Emmanuel Hocdet wrote:
>>> I talk with the case we don't want a default cert. With stric
> Le 28 juil. 2017 à 17:13, Willy Tarreau a écrit :
>
> On Fri, Jul 28, 2017 at 05:04:16PM +0200, Emmanuel Hocdet wrote:
>> I talk with the case we don't want a default cert. With strict-sni the « fake
>> » default_cert can be use if it as sni (i don't want that i
> Le 28 juil. 2017 à 16:24, Christopher Faulet
> a écrit :
>
> Le 28/07/2017 à 12:41, Emmanuel Hocdet a écrit :
>> A useless certificat should be provide with haproxy configuration?, it’s
>> definitely a workaround. It’s legacy from pre SNI.
>
> Not really.
> Le 28 juil. 2017 à 15:37, Christopher Faulet a écrit :
>
> Le 28/07/2017 à 14:28, Emmanuel Hocdet a écrit :
>> . fix generate_certificates issue
>> perhaps it’s more simple to do:
>> *diff --git a/src/ssl_sock.c b/src/ssl_sock.c*
>> *index c71c2e3..311d465
Hi Willy
thanks!
> Le 28 juil. 2017 à 15:23, Willy TARREAU a écrit :
>
> Hi Manu,
>
> thanks you!
>
> I've just applied a minor change below :
>
> - int verify:2; /* verify method (set of SSL_VERIFY_* flags)
> */
> + int verify:3; /* verify method (set of S
guration statements, but
> we usually take care using this word.
>
> Willy, would you clarify that point?
>
> R,
> Emeric
>
> On 07/10/2017 05:45 PM, Emmanuel Hocdet wrote:
>>
>> Hi Bas,
>>
>>> Le 10 juil. 2017 à 17:05, Wolvers, Bas a écrit :
> Le 28 juil. 2017 à 12:41, Emmanuel Hocdet a écrit :
>
>
> Hi Christopher
>
>> Le 28 juil. 2017 à 11:08, Christopher Faulet > <mailto:cfau...@haproxy.com>> a écrit :
>>
>> Le 27/07/2017 à 18:16, Emmanuel Hocdet a écrit :
>>> Hi Willy
Hi Christopher
> Le 28 juil. 2017 à 11:08, Christopher Faulet a écrit :
>
> Le 27/07/2017 à 18:16, Emmanuel Hocdet a écrit :
>> Hi Willy, Emeric
>> Can you consider this patch? I think it’s safe and it not depend on any
>> openssl version.
>> (It’s possible s
Hi Willy, Emeric
Can you consider this patch? I think it’s safe and it not depend on any openssl
version.
(It’s possible since patch f6b37c67)
++
Manu
> Le 16 juin 2017 à 10:48, Emmanuel Hocdet a écrit :
>
>> Le 15 juin 2017 à 16:42, Simos Xenitellis a
>> écrit :
>
dev will be a good step.
Emeric or Willy must find time to review and consider the merge.
++
Manu
> Best regards,
>
> Bas
>
> -Original Message-
> From: Emmanuel Hocdet [mailto:m...@gandi.net]
> Sent: maandag 10 juli 2017 17:46
> To: Wolvers, Bas
> Cc: haproxy@
Hi Kevin,
> Le 26 juil. 2017 à 18:39, Kevin McArthur a écrit :
>
> Interesting. I'd probably recommend not pushing this patch out then until
> this can be fixed as it will be trivial to resource-exploit a haproxy
> instance that is exhibiting a client-controlled retry. A quick try with a
> sc
Le 19 juil. 2017 à 15:37, Emmanuel Hocdet <m...@gandi.net> a écrit :Le 19 juil. 2017 à 14:54, Willy Tarreau <w...@1wt.eu> a écrit :Hi guys,On Wed, Jul 12, 2017 at 03:36:24PM +0200, Emeric Brun wrote:Same worries, the openssl 0.9.8 is still maintained in redhat 5 so we shouldbe able to
so I checked and this patch is OK with 0.9.8zh, 1.0.0t, 1.0.1u and 1.0.2k,
> so I merged it.
>
Thanks!
> However Manu, the following patch broke 0.9.8 and 1.0.0 :
>
> commit 0594211987351eaf521577b798a3a461b043710c
> Author: Emmanuel Hocdet
> Date: Mon Feb 20 16:11:5
ssl related changes.
>
oops indeed
> On Wed, Jul 12, 2017 at 02:54:16PM +0200, Emmanuel Hocdet wrote:
>>
>> Hi Willy,
>>
>> I would like you consider this patches because Christopher's patch is false
>> and
>> doesn't support other ssl lib
Hi Willy,
I would like you consider this patches because Christopher’s patch is false and
doesn’t support other ssl libs and openssl >= 1.1.0.
I sent my original patch with more comments and another with a little cleanup:
++
Manu
0001-BUG-MINOR-ssl-remove-haproxy-SSLv3-support-when-ssl-.pat
Hi Bas,
> Le 10 juil. 2017 à 17:05, Wolvers, Bas a écrit :
>
> Hi Emmanuel,
>
> I finally found time to test your patch.
>
> It works, but you can't seem to turn it off.
> no-ca-names seems to be active regardless of the option in the config file.
>
oops i fail the double negation.
fix patc
Hi Willy
> Le 5 juil. 2017 à 18:38, Willy Tarreau a écrit :
>
> Hi guys,
>
> back to this old discussion.
>
> On Fri, May 12, 2017 at 04:10:20PM +0200, Willy Tarreau wrote:
>> On Tue, May 09, 2017 at 12:12:42AM +0200, Lukas Tribus wrote:
>>> Haproxy can verify the certificate of backend TLS s
Hi Willy, Patrick
> Le 30 juin 2017 à 07:00, Willy Tarreau a écrit :
>
> Hi Patrick, sorry for the delay :-/
>
> On Mon, Jun 19, 2017 at 01:54:36PM -0400, Patrick Hemmer wrote:
>> Well my argument for keeping the name starting with `ssl_fc_session_` is
>> that there is also `ssl_fc_session_id`.
> Le 19 juin 2017 à 15:06, William Lallemand a écrit :
>
> On Mon, Jun 19, 2017 at 11:26:31AM +0200, Emmanuel Hocdet wrote:
>>
>> Exactly, use case is to upgrade haproxy from a 1.6/1.7/1.8 compatibility to
>> 1.8 with master worker.
>>
>
> That's
> Le 16 juin 2017 à 18:49, William Lallemand a écrit :
>
>
> On Fri, Jun 16, 2017 at 05:28:51PM +0200, Emmanuel Hocdet wrote:
>> Hi,
>>
>
> Hi Emmanuel,
>
Hi William
>> i try to play with that, but i’m a little confused with the behaviour.
>
Hi,
i try to play with that, but i’m a little confused with the behaviour.
In my test, i use alternatly haproxy upgrade and worker reload (via USR2)
start with upgrade:
# /usr/sbin/haproxy -f /var/lib/haproxy/ssl/ssl.cfg -p /var/run/haproxy_ssl.pid
-D -W -n 131072 -L ssl_1 -x /var/run/haproxy/s
Hi Patrick, Lukas
> Le 13 juin 2017 à 19:26, Lukas Tribus a écrit :
>
> Hi Patrick,
>
>
> Am 13.06.2017 um 01:31 schrieb Patrick Hemmer:
>>
>>
>> On 2017/6/12 15:14, Lukas Tribus wrote:
>>> Hello,
>>>
>>>
>>> Am 12.06.2017 um 19:35 schrieb Patrick Hemmer:
Would we be able to get a n
> Le 15 juin 2017 à 16:42, Simos Xenitellis a
> écrit :
>
> On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet wrote:
>> In haproxy 1.8dev, default certificate can now be optional.
>> This patch allow that.
>>
>
> Thanks Manu for looking into this.
> Le 15 juin 2017 à 16:18, Emmanuel Hocdet a écrit :
>
>
>> Le 15 juin 2017 à 14:37, Willy Tarreau mailto:w...@1wt.eu>> a
>> écrit :
>>
>> Hi Manu,
>>
>> On Thu, Jun 15, 2017 at 02:17:01PM +0200, Emmanuel Hocdet wrote:
>>> T
> Le 15 juin 2017 à 14:37, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Thu, Jun 15, 2017 at 02:17:01PM +0200, Emmanuel Hocdet wrote:
>> The mistake is from commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation
>> is
>> reworked and factored for min/m
> Le 14 juin 2017 à 18:09, Emmanuel Hocdet a écrit :
>
>
>> Le 14 juin 2017 à 16:43, Willy Tarreau a écrit :
>>
>> On Wed, Jun 14, 2017 at 03:11:28PM +0200, Christopher Faulet wrote:
>>> Hi,
>>>
>>> HAProxy compilation fails if Open
> Le 14 juin 2017 à 16:43, Willy Tarreau a écrit :
>
> On Wed, Jun 14, 2017 at 03:11:28PM +0200, Christopher Faulet wrote:
>> Hi,
>>
>> HAProxy compilation fails if OpenSSL 1.0.2 is compiled without the support
>> of SSLv3 methods (SSL3_server_method and SSL3_client_method). The manpage
>> SSL_
101 - 200 of 302 matches
Mail list logo