Hi Merton,
Hi Cyril,
Yes, I tried make clean first before compiling and still the same
problem on 10.04 LTS.
Are you compiling on the same machine that is crashing, correct?
You cannot mix executables from a more recent box, because openssl,
pcre headers will not match the running
Hi,
Can it be just a coincidence to reach exactly 2000 connections while
the maxconn in haproxy -vv default maxconn value is also 2000??
Yes, because its unrelated.
I don' t see any errors like 503 or orther..
If you don't see 503 errors, than its not maxconn limiting your
connection
Hi Bahri,
How can i change the value of maxconn, or how can activate the value
in haproxy.cfg
Just configure maxconn in the global section.
global
maxconn XYZ
Btw, please read the manual, those things are very well
documented [1].
Regards,
Lukas
[1]
Hi Lukas,
Hi, please respond to the mailing list!
Thanks for reply but i have already set this value in the global
section of haproxy.cfg file..
I see.
My problem is that it ignores the value i have entered..
Why do you think its ignoring the values?
Do you see 503 responses towards
Hi Guillaume,
Hi all,
I’m currently facing an issue and I do not figure how to workaround it.
- Some big picture:
I have a backend that receive file uploads. It checks the upload size
and if the maximum upload file size is reached, send immediately a 413
request entity too long with a
Hi Jeffrey,
Below is my haproxy config, I have 1 server and 1 backend for testing
This is a Wt wthttpd app, with no Apache loaded,
Problem I have is that the path to the app seems to change when running from
port 80 or haproxy,
meaning I lost all my style sheets and resources, not sure
Hi Guillaume,
I made a small quick and dirty TCP server that mimic this behaviour to
use as a backend (see attached).
Then I send posts like this:
curl -H Expect: -F file=@big-file -v http://haproxy-ip/
Thanks, but it works for me (tm). In both latest (git) and 1.4.25 curl
sees the 413
Hi Martin,
Hi,
I'm trying to configure HAProxy so that on one specific domain users
authenticate with a SSL Client certificate.
The Load Balancer has one public IP address and has a frontend
configured which is bind to port 443:
bind *:443 ssl crt ./haproxy/
I selected the
Hi,
I add an option maxconn after keyword server. When haproxy face
high volume of requests (about 2 concurrent requests), it return
many 503 page
Of course it will.
You would like to serve 2 concurrent requests, but your 6 servers
only support 180 concurrent connections each.
Hi,
Hi, list
Tried to build with USE_STATIC_PCRE=1 but failed, error:
.. ebtree/ebistree.o -L/usr/local/Cellar/pcre/8.35/lib -Wl,-Bstatic
-lpcreposix -lpcre -Wl,-Bdynamic
ld: unknown option: -Bstatic
clang: error: linker command failed with exit code 1 (use -v to see
invocation)
Hi Diana,
open(/opt/etc/ca.d/, O_RDONLY) = 3
This (the non working instance) tries to open the
directory, while ...
open(/opt/etc/ca.d/ca.crt, O_RDONLY) = 3
here (the working instance) we appear to directly
open the crt file.
Can you double check that the configuration is exactly
the same
Hi,
Below is the snapshot of strace output, 1st block showing error if
loading ca-file from directory and 2nd block showing no error if
loading ca-file from a file:
I think ca-file doesn't support directories, only the crt option
supports directories.
If you need to specify a CA (to
Hi Igor,
Hi, list
I enable OCSP with empty .ocsp file, but it seems not work,
https://www.ssllabs.com/ssltest/ reports OCSP No.
If do openssl ocsp -issuer s.pem.issuer -cert s.pem -url
http://ocsp.startssl.com/sub/class2/server/ca -header HOST
ocsp.startssl.com -respout s.pem.ocsp, so
Hi Diana,
The ca-file loading from directory failed in 2.6.18 system with this
message during startup:
unable to load CA file '/opt/etc/ca.d/'.
It seems to me the HAProxy in this system doesn't support directory
loading ca-file?
However, in 2.6.32 system the HAProxy started up
Date: Tue, 24 Jun 2014 07:33:41 +0200
From: w...@1wt.eu
To: hapr...@stormcloud9.net
CC: haproxy@formilux.org; rachel.chave...@gmail.com
Subject: Re: 3rd regression : enough is enough!
Hi Patrick,
On Mon, Jun 23, 2014 at 09:30:11PM -0400, Patrick
Hi Markus,
as far as i understood i need this if i use Diffie-Hellman to generate the
session key. i need a special dh-key, right? if i don't use this i don't
need to set the tune-ssl param.
No, thats not really correct. You need the dh parameters for DHE ciphers and
that fact that this
Hi everyone,
The list has been unusually silent today, just as if everyone was waiting
for something to happen :-)
Today is a great day, the reward of 4 years of hard work. I'm announcing the
release of HAProxy 1.5.0.
Very nice! Thanks to everyone working and contributing to haproxy!
I
Hi Markus,
with dev26 and now the release of version 1.5. i get the following
warning when starting haproxy:
Starting haproxy: [WARNING] 170/090803 (38826) : Setting
tune.ssl.default-dh-param to 1024 by default, if your workload permits it
you should set it to at least 2048. Please set a
Hi,
Is it possible to use HTTP keep-alive between haproxy and
backend even if client does not use it?
Client closes connection, but haproxy still maintains open
connection to backend (based on some timeout) and re-use it
when new request arrives.
It will save some time for new connection
We use haproxy as the load balance. When the HTTP request reach 20K
requests per second, in statistics report, we observed too many 4xx
request in frontend, nearly about 25%
In page http://haproxy.1wt.eu/10g.html, the max http requests per
second is 40K.
Where can I find the script
Hi Sasha,
Attached is the patch that incorporates Thierry's fixes, and places
HTTP_RULE_RES_BADREQ where it belongs. I noticed another problem and
fixed it - if http-response/http-request was used with an invalid
action keyword, the error message failed to mention
Hi,
Lukas - the error message fix is part off the feature. Now that we
support replace-header/modify-header actions if the user names the
wrong action we must include those in the list of correct possibilities
in the parsing error message - something I neglected to do earlier.
Ok,
Hi!
Hi,
Maybe a stupid question but if I download version 1.5-dev26, all the
latest patches are present in this version or should I apply too?
No, dev26 was released May, 28th and doesn't contain any newer code.
To get more current code I suggest to use git, you just need 2 commands:
Hi,
But yesterday, when Sasha sent his email, I also made some tests :
$ time git clone -q http://git.haproxy.org/git/haproxy.git/
real 4m37.767s
user 0m27.260s
sys 0m23.252s
I'm not surprized, the repository had a ton of objects and had not been
repacked in a year or so.
I can
Hi Sasha,
I observed that git clone http://git.1wt.eu/git/haproxy.git/ is
extremely slow - at least for me in the United States.
git.1wt.eu has been recently deprecated and is now longer the
official mirror, please use git.haproxy.org as per [1].
I do realize the links on the website point
Hi Jason,
In further tests, I adjusted the bind line to the following (explicitly
defining a second key)
bind ip:443 ssl crt nfs/default.pem crt nfs/site2.pem crt
local crt nfs strict-sni
Accessing site2 with the above bind line worked correctly.
I'm not sure if its a good idea to
Hi,
yes,starting haproxy as root,but haproxy.conf
uid 6003
gid 6003
Well, it appears that PCRE with JIT enabled need access
to those files. Not sure whether read access is enough.
Why is PCRE in /home/software?
Can you show the output of haproxy -vv?
Maybe we should move some of the
Hi John,
Hi, we've been using haproxy 1.5 for quite a while, and haven't really
run into any major issues until we upgraded from dev24 to dev25.
Starting with dev25 we saw an issue where haproxy doesn't seem to be
reliably closing connections after sending a response if the client
uses
Hi Willy,
It does not bug if I use a redirect instead of a server however. Now
trying to find the cause.
OK I found it. It was indeed another side effect of the CD/SD patch :-(
I've pushed the fix which reliably works for me, it's available here :
Hi,
haproxy -vv
HA-Proxy version 1.5-dev26-2e85840 2014/05/28
Copyright 2000-2014 Willy Tarreau w...@1wt.eumailto:w...@1wt.eu
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1
Hi Vigna,
I need an help, we are using haproxy version dev26 and we are trying to
connect sql developer to connect oracle database via haproxy but the
issue is when we use rule acl for switching between different host, it
is not working but when we use default_backend it is working fine.
That can only work for encrypted HTTP traffic or SSL encrypted traffic
based on SNI.
That statement is bogus, what I meant was:
Content-switching works based on a specific header, like the Host Header
when using cleartext HTTP traffic or the SNI header when using SSL
traffic.
Regards,
Hi Jason,
I believe I've figured out the error of my ways.
I recently changed where I'm generating SSL keys, in order to push keys to a
R/O mount for the FE server, letting a back-end server handle the security
aspects.
The openssl on the backend/generator system is 1.0.1-4ubuntu5.14, the
Hi,
make TARGET=linux26 ARCH=x86_64 USE_PCRE=1 USE_PCRE_JIT=1
USE_OPENSSL=1 USE_ZLIB=1 PREFIX=/usr/local/haproxy
mkdir /etc/haproxy
cp examples/haproxy.cfg /etc/haproxy
cp examples/haproxy.init /etc/init.d/haproxy
chmod ug+x /etc/init.d/haproxy
chkconfig --add haproxy
Hi guys,
Hi Manfred,
On Tue, Jun 3, 2014 at 11:12 AM, Manfred Hollstein
mhollst...@t-online.demailto:mhollst...@t-online.de wrote:
Can you try if curl -k http://proxy.prod:8080/health; works? If I'm not
mistaken, https:// implicitly uses port 443, but don't know how the
Hi Jason,
Hi,
I'm wondering how I can set up a simple ACL that is based on a field in
the Subject DN of the cert.
I want to restrict access to the backend matching %[ssl_c_s_dn(uid)] as
part of the URL.
Example:
URL for UID = 1234 would match /abc/1234/xyz
I've tried:
Hi,
Hey,
I had asked earlier about fixing problems with 504 errors by increasing
timeouts, which helped a great deal. The problem is CPU usage is up to
as high as 100% very frequently, which is worrying me.
Haproxy (userspace) or system (kernel)? Does haproxy stop responding to
Hi,
Has anyone opened a bug against Chrome for this behavior (did a brief search
and didn't see one)? I'd be interested in following it as this behavior will
likely have an impact on an upcoming project I've got.
-Patrick
Hi Patrick,
yes:
Hi,
Well, here I'm seeing a standard 408 after 2 seconds which should match
a timeout http-request of 2 seconds. Can you check if you don't have one ?
Also, this observation from the logs doesn't seem consistent with your first
claim that the 408 is immediate, here it's only after 2
Hi,
Hi
Thanks for your reply.
After reading the doc of the option this option is usefull but I'm not
sur for my case.
I fact the 408 are received immediatly, with no delay or timeout when
browsing the website.
I indeed with the option still 408 errors
Maybe any other ideas ?
Hi,
What happens if you also have DH appended to your certificates? You set
global.tune.ssl_max_dh_param to 1024 but you have a 4096bit DH in your
certificate file, which one is used then? An answer could be 'Don't do
that' :-) but I was curious.
The certificate's dh_param is used. To avoid
Hi Patrick,
While going through the Qualys SSL test
(https://www.ssllabs.com/ssltest), one of the items it mentions is a
DoS vulnerability in regards to client-side initiated SSL renegotiation
Hi Thomas,
This was somewhat complex. I am using OpenWrt for HAProxy with eglibc.
I see. Are you using local gdb on this box or are you transferring
executable and core to another box and backtracing there?
So HAProxy crashes as soon as acl tries to use
acl ex_de hdr_reg(host) -i
Hi,
Please take consider my description from github
What are saying? Did you open an issue against one
of the haproxy forks on github? There is not official
haproxy repository on github.
Please explain your issue fully here on the mailing-list.
and please send me lines that i have to
Hi Philipp,
has anyone achieved to load-balance a SAProuter behind a HAproxy?
SAProuter is a little peace of Software, that takes the a TCP session on
Port 3299 and forwards it to the backend SAP-ERP Systems. It has one
frontend IP and one TCP Port.
As far as I see it, it should be quite
Hi Thomas,
In the last commit for HAProxy 1.5dev25,
0014-MINOR-fix-a-few-memory-usage-errors, the process crashes
when the first connect comes in.
--
Thu May 15 18:44:21 2014 kern.info kernel: [589854.655404]
haproxy[22649] general protection ip:6a8279b89ceb sp:775da6be3cb0
error:0 in
Hi Simon,
Hi,Lists,
I found haproxy 1.4.25 can not set mss on FreeBSD 10-stable as below:
# /usr/local/sbin/haproxy -f /opt/etc/haproxy.conf
[WARNING] 132/170407 (71806) : Starting frontend http-in: cannot set MSS
The set MSS code is straightforward, its your OS' TCP stack that doesn't
let
Hi Willy,
Hi all,
we're almost done!
Now the bind-process mess is fixed so that we now support per-listener
process binding using the process bind keyword, which ensures that
we won't need to change the config format during the stable release if
we want to slightly improve it. And that
Did you force any specific cflags on your makefile ? By default we
build with -fno-strict-aliasing specifically to avoid this.
Ah, I see whats going on.
I specified CFLAGS on the command line via:
make CFLAGS=-g -O3 [...]
Which is overwriting a lot of things in the Makefile, including
No it's simpler, just define a new set of per-CPU options like I do
for development :
make -j 4 CC=gcc TARGET=linux2628 CPU=native CPU_CFLAGS.native=-O0
Thanks!
Lukas
Hi!
Hi John,
On Fri, May 09, 2014 at 11:54:56AM +0200, John-Paul Bader wrote:
Hey Willy,
I have just applied the patch and will run another test after lunch.
Since we're testing with live traffic I can't leave it unattended :)
Just out of curiosity, is this a bug that affects also Linux
Hi Willy,
Hi Lukas,
Reviving this old thread.
On Mon, Apr 14, 2014 at 11:24:53AM +0200, Lukas Tribus wrote:
this is to request comments regarding the removal of bsd and osx Makfiles.
Its was proposed by Willy Tarreau, the reason are:
- osx and bsd Makefiles don't support USE flag, so
Hi Willy,
When it uses the private cache, I would also have to change the
configuration to allow ssl sessions over multiple http requests right?
No you don't need to change anymore, what Emeric's patch does is to
reimplement a hand-crafted spinlock mechanism.
Two slightly unrelated
Hi John,
Hi, I'm using 1.5-dev24 on Linux (2.6.32) and having problems getting
transparent to work with ipv6 addresses.
The problem is your kernel, you need at least linux 2.6.37 to do this.
Regards,
Lukas
Hi,
Hello,
I have few backends which are routed to regarding of URL path. Also one
of servers uses NTLM.
As it was written on many places NTLM can only function with tunnel
mode enabled. I understand that, but have some other backends that does
not work good unless there is option
Hi,
Hi!
I have installed HAProxy 1.4.25 and install stunnel to receive requests
https, but I failed to get the real IP of the client, therefore, in
HAProxy receive all requests with the same IP and my setup has balance
sorce, obviously sends me all requests to the same backend.
How
Hi Oskar,
I upgraded from 1.5-dev22 to 1.5-dev24 and it appears the following ACL
no longer matches anything:
acl allowed_paths path_beg -i /areas/ /api/v1/ /content/ /help/
/js/ /login/ /scripts/ /session/ /demo/
Even if the request path is something like
Hi,
I'm currently attempting to replace our commercial Loadbalancer with SSL
termination with haproxy. I'm running it on FreeBSD 9.2 Stable.
We have thousands of requests per second and for a while everything runs
extremely smooth. No queues are running full, machine load is at 0.5,
Hi Remi,
The default value for max-dh-param-size is set to 1024, thus keeping
the current behavior by default. Setting a higher value (for example
2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade
to stronger ephemeral DH keys (and back if needed).
Please note that Sander
Hi Rachel, hi Willy,
just a few comments about coding style, unrelated to the discussion about
the actual code:
+if(s-req-flags CF_READ_TIMEOUT)
+{
You can move the opening square bracket to the first line (as we do in
the rest of the code).
@@ -2401,9
Hi Andrey,
# acl CX(custcare_cu)
acl is_custcare_cu url_beg /custcare_cu
# VIX-s
default_backend vix
backend custcare_cu
balance roundrobin
cookie SERVERID insert indirect nocache maxlife 24h maxidle 8h
server s1cm1_cx_cu s1cm1:8088 check port 8088 cookie cx_cu3 weight 100
server
Hi Seri,
Hi,
I've tested recent 1.5-dev24(a631fc8) git code.
In frontend,
option http-keep-alive
In backend,
balance uri or balance url_param
option http-server-close
In above configuration, server response is delayed or fail.
In a quick and unscientific test I was unable to
Hi,
Hi,
I have a map configuration as below
** haproxy configuratioin file
frontend http-in
...
use_backend %[req.fhdr(host),lower,map_dom(/etc/haproxy/host_to_backend.map)]
...
backend www.a.com
server www1 1.1.1.1:80
backend m.www.a.com
server m.www1 2.2.2.2:80
**
Hi Andrey,
Hi! I use options option http-server-close for my haproxy. And I
faced with next problems: After logging on my site (ISSA), customers
execute different steps and their logout on the start page for enter
log/pass.
Are you saying that persistence doesn't work? You need to be more
Hi,
- recommit the patch I submitted as it is, and let users concerned with
the CPU impact use static DH parameter in the certificate file.
What do you mean by use static DH parameter in the cert file ? Is this
something the user can decide after the cert is emitted ? Is it something
easy
Hi,
I've disabled sslv3 and use certificates with 4096bits keys. I know 4096
bits keys are a bit over the top, but while testing the impact seemed to
be acceptable so I thought 'What the heck, let's just use it'
Thats it, with Remi's patch your dhparam was upgraded to 4096bit, we
assumed
Hi,
At this moment i also have a lot of errors:
0/0/0/-1/317 400 187 - - CH-- 30142/19850/93/4/0 0/0 POST
In docs it describes as:
The client aborted while waiting for the server to start responding.
It might be the server taking too long to respond or the client
clicking the 'Stop'
Hi,
I've checked my own logs and found SSL handshake failures starting
on April 8th, or the day after Heartbleed was disclosed, as can be
seen below with the number of errors per day :
Yes, please everyone specify whether there are actually users reporting
this behavior, or if this is a log
Sorry about that. I see it on the mailing list archive, but not in my
client :-(
Probably catched by a spam filter, I did respond directly to you and the
mailing list.
Yes, I can reliably reproduce the issue. Here's another one with pcaps
of the eth0 and lo interfaces.
Can you also
Hi Chris,
We are running 1.4.24 for an application that sees almost entirely small
http requests. We have the following timeouts:
timeout client 7s
timeout server 4s
timeout connect 4s
timeout http-request 7s
There are a significant number of cR/http-408 responses in the logs.
The docs
Hi Guys,
Firefox will most likely move to OCSP stapling only in the next 3 to 6
months. Classic OCSP is too slow, and too error prone.
FYI, Chrome does not do classic OCSP as well, but with the recent
heartbeat openssl bug, OCSP stapling in combination with a
OCSP Must Staple may be what
Hi Shweta,
I have an active HTTP session serviced through the haproxy's virtual ip
and load balanced to one of the virtual servers. If the master haproxy
instance goes down in the middle of the active HTTP session, can the
backup haproxy instance that takes over the virtual ip ,know that
Hi Patrick,
With 1.5-dev22, we have a scenario where haproxy is saying the client
closed the connection, but really the server is the one that closed it.
Here is the log entry from haproxy:
haproxy[12540]: 10.230.0.195:33580 storage_upd
storage_upd/storage_upd_2 0/0/0/522/555 0/0/0/0/0 0/0
Hi,
Dear Sir
Can you help me about how to redirect request in case if one of the
server is down. Is there any command for this or I have to change in
configuration file.
Please respond to the mailing list, not me directly.
I refer you to the documentation for informations about
Hi,
Can you compile with CFLAGS=-g -O0 in the make command, to avoid that
the compiler optimizes out to much and provide the gdb output of
backtrace full?
Strange, after a full cleanup and rebuild it doesn't segfault anymore,
so please disregard this and apologies for the noise.
Can you
Hi,
Migrating to linux.
Like Willy explained, BSD and OSX continue to be fully supported with GNU
make, the proposal is just to drop the specific Makefiles, which is obsolete
anyway, because of a lot of missing features (like zlib).
This will actually simplify building haproxy under OSX
Hi,
Hi Lukas,
I am doing testing on both load balancer.
1. Haproxy
2. Zen load balancer
I have install both on different machine and both are working fine.
Now I want that if 50X error occur than request forward to 2nd web server if
again 50X error occur on this server than it
Is any other solution for fixing my problem by using haproxy or Zen
load balancer.
Not that I know, but you got a better chance of someone responding
to your question if you answer to the mailing list, like I said.
Regards,
Lukas
Hi,
I have configured haproxy on my server for load balancing of 2 servers.
haproxy service is running properly as it should be. But I want your
help as i am facing a problem. I want to redirect request from server1
to server2 in case server1 gives error like 403.
Thats not supported,
Hi,
key is certainly to do some fair amount of testing, don't use a release
with a lot of very recent activity, but let it cool down a few days,
or better, 1 - 3 weeks (and then check fixed bugs 'git log --oneline \
v1.5-devXY..master | grep BUG' to see if anything is relevant for you).
You
Hi,
Hi Team,
I have install haproxy load balancer and it working fine. But some
issue occur in load balancer.
1. If any error occur in response from web server, error like 40X, 50X
then haproxy load balancer forward request to previous or next server.
Is it possible in zen load
Hi list,
this is to request comments regarding the removal of bsd and osx Makfiles.
Its was proposed by Willy Tarreau, the reason are:
- osx and bsd Makefiles don't support USE flag, so they can't be used if
SSL, ZLIB and other specific features requiring USE flags are needed
- it can be
Hi Volker,
Sometimes, the Serverhello/Clienthello contains an empty session ID.
Is it possible that HAProxy has problems with this behaviour?
If there is no session id, HAproxy can't fix the session to a server.
Any idea?
There is a good chance that your backend supports both SSL
Hi,
Fails for me when compiling with USE_GETADDRINFO:
src/standard.c: In function ?str2ip?:
src/standard.c:554:6: error: ?global? undeclared (first use in this
function)
src/standard.c:554:6: note: each undeclared identifier is reported only
once for each function it appears in
Hi,
when you say “current version”, do you mean the 1.5 dev version? I’m
running 1.4 right now, but its not production, so I can easily
“upgrade” if that is required …
He means latest git master, not a dev release. So you have to clone
from the git repository:
git clone
Looks like there are currently multiple issues in the build system when
using openbsd.
Go back do dev19, install gmake and compile with:
$ gmake TARGET=openbsd CPU=native USE_ZLIB=1
Actually, you can stick to dev22 as long as you use gmake instead of make.
The issue that caused the build
Hi Jorge,
I changed line 72 for include -lz
root@haproxy01 $ make -f Makefile.bsd USE_ZLIB=1
gcc -Wall -Iinclude -Iebtree -O2 -DENABLE_POLL -DENABLE_KQUEUE
-fno-strict-aliasing -DBUFSIZE=8030 -DMAXREWRITE=1030
-DSYSTEM_MAXCONN=1024 -DCONFIG_HAPROXY_VERSION=\1.5-dev22-1a34d57 \
Hi,
These are happening at startup only and are a direct consequence of
using getaddrinfo().
Ah indeed I didn't notice the destination port is zero, so they're just
used to check whether the protocols are supported or not! Thanks for
enlighting me on this! So this is not a problem in
Hi,
Hello.
Sorry for my little problem.
My workstation is linux centos.
I edit Makefile.bsd direct with vi in openbsd.
Maybe makefile.bsd corrupt in dev22, in dev19 no problem for compile.
I will Tomorrow install gmake.
Looks like there are currently multiple issues in the build
Hi,
I would suggest that it will not harm even if you relax the check for
client hello too as the old client can using SSL 3.0 is still supported
and its according to RFC
I disagree. SNI is documented as a TLS extension and unsupported in SSLv3.
RFC3546 and RFC6066 are the relevant RFCs, not
Hi,
I think the next version may or may not contain the same client hello
format if it allows i don't have any issues if it doesn't allows then
the code may crash or it may return bad value for SNI. I just suggested
it for safety reasons its just my input.
If HAproxy would crash, we
Hi,
Ok fine you can be forward compatible but i still don't agree its my
personal opinion if I don't know what the packet format for next
version why should I support it.
Because we are talking about a industry standard with a huge user base
and it is very likely that next version will be
Hi,
On Fri, Apr 11, 2014 at 02:09:09PM +0200, Nenad Merdanovic wrote:
Why are we using gethostbyname() first if USE_GETADDRINFO is enabled?
Probably only because that's what we used to do for over a decade in fact.
Getaddrinfo() used to work very badly on a large number of platforms,
Hi,
It's not a matter of opinion but specification. If the packet format is
specified as being exclusively for 3.0..3.3, then we should only match
this. If it's specified as part of TLS for which only versions 3.0 to
3.3 are currently defined, then we must apply the default rule specified
Hi Willy,
So in my opinion, since the protocol is designed to be backwards and
forwards compatible, and uses minor version for newer extensions, there
is no reason for limiting ourselves to TLSv1.2 for extensions that
exist since 1.0 and will certainly continue to be supported by later
Date: Thu, 10 Apr 2014 15:22:43 +0200
From: w...@1wt.eu
To: tattiprav...@gmail.com
CC: haproxy@formilux.org
Subject: Re: Query regarding extracting ssl hello sni.
On Thu, Apr 10, 2014 at 06:30:26PM +0530, Pravin Tatti wrote:
I think you still
Hi,
I can have a look at it.
Meta-Question: Which source has to be taken
to make a patch against?
Current git master. Clone the repository with:
git clone http://master.formilux.org/git/people/willy/haproxy.git/
README contains some hints howto contribute.
Regards,
Lukas
Hi,
Basically we just need to relax the record layer check to SSLv3 - and
leave the clienthello check as is, right?
Does the attached diff do the job for you correctly, Pravin?
I have reproduced the issue with gnutls and can confirm that the patch
fixes the problem.
The function now
SNI is a TLS extension and requires at least TLSv1.0 or later, however
the version in the record layer may be SSLv3, not necessarily TLSv1.0.
GnuTLS for example does this.
Relax the record layer version check in smp_fetch_ssl_hello_sni() to
allow fetching SNI values from clients indicating SSLv3
Hi Willy, hi David,
On Tue, Apr 08, 2014 at 06:48:47PM -0400, David S wrote:
Thank you Lukas.
Here is the rebased patch.
I also made one correction, I had added ssl_fc_unique_id as an ACL keyword,
but that does not make sense. I removed that added line from my patch.
Your first
1101 - 1200 of 1576 matches
Mail list logo