Re: haproxy 1.9.2 with boringssl

Am 24.01.2019 um 15:09 schrieb Aleksandar Lazic: > Am 24.01.2019 um 03:49 schrieb Willy Tarreau: >> On Wed, Jan 23, 2019 at 09:37:46PM +0100, Aleksandar Lazic wrote: >>> >>> Am 23.01.2019 um 21:27 schrieb Willy Tarreau: On Wed, Jan 23, 2019 at 09:08:00PM +0100, Aleksandar Lazic wrote: >

Re: haproxy 1.9.2 with boringssl

Am 24.01.2019 um 03:49 schrieb Willy Tarreau: > On Wed, Jan 23, 2019 at 09:37:46PM +0100, Aleksandar Lazic wrote: >> >> Am 23.01.2019 um 21:27 schrieb Willy Tarreau: >>> On Wed, Jan 23, 2019 at 09:08:00PM +0100, Aleksandar Lazic wrote: Should it be possible to have fe with h1 and be server

Re: haproxy 1.9.2 with boringssl

On Wed, Jan 23, 2019 at 09:37:46PM +0100, Aleksandar Lazic wrote: > > Am 23.01.2019 um 21:27 schrieb Willy Tarreau: > > On Wed, Jan 23, 2019 at 09:08:00PM +0100, Aleksandar Lazic wrote: > >> Should it be possible to have fe with h1 and be server h2(alpn h2), as I > >> expect this or similar

Re: haproxy 1.9.2 with boringssl

Am 23.01.2019 um 21:27 schrieb Willy Tarreau: > On Wed, Jan 23, 2019 at 09:08:00PM +0100, Aleksandar Lazic wrote: >> Should it be possible to have fe with h1 and be server h2(alpn h2), as I >> expect this or similar return value when I go thru haproxy? > > Yes absolutely. That's even what I'm

Re: haproxy 1.9.2 with boringssl

On Wed, Jan 23, 2019 at 09:08:00PM +0100, Aleksandar Lazic wrote: > Should it be possible to have fe with h1 and be server h2(alpn h2), as I > expect this or similar return value when I go thru haproxy? Yes absolutely. That's even what I'm doing on my tests to try to fix the issues reported by

Re: haproxy 1.9.2 with boringssl

Hi Willy. Am 23.01.2019 um 19:50 schrieb Willy Tarreau: > Hi Aleks, > > On Wed, Jan 23, 2019 at 06:58:25PM +0100, Aleksandar Lazic wrote: >> backend be_generic_tcp >> mode http >> balance source >> timeout check 5s >> option tcp-check >> >> server "${SERVICE_NAME}"

Re: haproxy 1.9.2 with boringssl

Hi Aleks, On Wed, Jan 23, 2019 at 06:58:25PM +0100, Aleksandar Lazic wrote: > backend be_generic_tcp > mode http > balance source > timeout check 5s > option tcp-check > > server "${SERVICE_NAME}" ${SERVICE_DEST_IP}:${SERVICE_DEST_PORT} check > inter 5s proto h2 ssl ssl-min-ver

Re: haproxy 1.9.2 with boringssl

Hi. After some tricky stuff with centos I switched to debian as base image and was now able to build haproxy with boringssl. /usr/local/sbin/haproxy -vv HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/ Build options : TARGET = linux2628 CPU = generic CC = gcc

Re: haproxy 1.9.2 with boringssl

Hi Aleksandar, Just FYI. Op 22-1-2019 om 22:08 schreef Aleksandar Lazic: But this could be a know bug and is fixed in the current git - ## Starting vtest ## Testing with haproxy version: 1.9.2 #top TEST

Re: haproxy 1.9.2 with boringssl

Am 22.01.2019 um 21:45 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 12:13 PM Aleksandar Lazic wrote: >> Sorry for my dump question, I just want to be save not to break something. >> >> It would be nice to have the option '-key-update' in client.cc and server.cc >> where can I put this feature

Re: haproxy 1.9.2 with boringssl

Tim. Am 22.01.2019 um 20:57 schrieb Tim Düsterhus: > Aleks, > > Am 22.01.19 um 20:50 schrieb Aleksandar Lazic: >> This means that the function in haproxy works but the check should be >> adopted to >> match both cases, right? > > At least one should investigate what exactly is happening here

Re: haproxy 1.9.2 with boringssl

On Tue, Jan 22, 2019 at 12:13 PM Aleksandar Lazic wrote: > Sorry for my dump question, I just want to be save not to break something. > > It would be nice to have the option '-key-update' in client.cc and server.cc > where can I put this feature request for boringssl? > > That would be make the

Re: haproxy 1.9.2 with boringssl

Am 22.01.2019 um 20:54 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 11:45 AM Aleksandar Lazic wrote: >> Can it be reused to test a specific server like? >> >> ssl/test/runner/runner -test "KeyUpdate-ToServer" 127.0.0.1:8443 > > Not easily: it drives the implementation under test by forking a

Re: haproxy 1.9.2 with boringssl

Aleks, Am 22.01.19 um 20:50 schrieb Aleksandar Lazic: > This means that the function in haproxy works but the check should be adopted > to > match both cases, right? At least one should investigate what exactly is happening here (the differences between the libc is a guess) and possibly file a

Re: haproxy 1.9.2 with boringssl

On Tue, Jan 22, 2019 at 11:45 AM Aleksandar Lazic wrote: > Can it be reused to test a specific server like? > > ssl/test/runner/runner -test "KeyUpdate-ToServer" 127.0.0.1:8443 Not easily: it drives the implementation under test by forking a process and has quite a complex interface via

Re: haproxy 1.9.2 with boringssl

Tim. Am 22.01.2019 um 20:26 schrieb Tim Düsterhus: > Aleks, > > Am 22.01.19 um 19:38 schrieb Aleksandar Lazic: >> ## test results in: >> "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.76167f9e" >> s10.0 EXPECT req.http.test3maskff (2001:db8:c001:c01a:::10:0) == >>

Re: haproxy 1.9.2 with boringssl

Am 22.01.2019 um 20:30 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 11:16 AM Aleksandar Lazic wrote: >> Agree that I get a 400 with this command. >> >> `echo 'K' | ./tool/bssl s_client -connect mail.google.com:443` > > (Note that "K" on its own line does not send a KeyUpdate message with >

Re: haproxy 1.9.2 with boringssl

On Tue, Jan 22, 2019 at 11:16 AM Aleksandar Lazic wrote: > Agree that I get a 400 with this command. > > `echo 'K' | ./tool/bssl s_client -connect mail.google.com:443` (Note that "K" on its own line does not send a KeyUpdate message with BoringSSL's bssl tool. It just sends "K\n".) > How does

Re: haproxy 1.9.2 with boringssl

Aleks, Am 22.01.19 um 19:38 schrieb Aleksandar Lazic: > ## test results in: > "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.76167f9e" > s10.0 EXPECT req.http.test3maskff (2001:db8:c001:c01a:::10:0) == > "2001:db8:c001:c01a:0::10:0" failed The difference here is that the

Re: haproxy 1.9.2 with boringssl

Am 22.01.2019 um 20:04 schrieb Adam Langley: > On Tue, Jan 22, 2019 at 10:54 AM Aleksandar Lazic wrote: >> Do have boringssl a similar tool like s_client? > > BoringSSL builds tool/bssl (in the build directory), which is similar. > However it doesn't have any magic inputs that can trigger a

Re: haproxy 1.9.2 with boringssl

On Tue, Jan 22, 2019 at 10:54 AM Aleksandar Lazic wrote: > Do have boringssl a similar tool like s_client? BoringSSL builds tool/bssl (in the build directory), which is similar. However it doesn't have any magic inputs that can trigger a KeyUpdate message like OpenSSL's s_client. Cheers AGL

Re: haproxy 1.9.2 with boringssl

ls in container? > Regards > Aleks > > > Ursprüngliche Nachricht > Von: Janusz Dziemidowicz > Gesendet: 22. Jänner 2019 19:49:15 MEZ > An: Aleksandar Lazic > CC: HAProxy > Betreff: Re: haproxy 1.9.2 with boringssl > > wt., 22 sty 2019 o 19

Re: haproxy 1.9.2 with boringssl

: haproxy 1.9.2 with boringssl wt., 22 sty 2019 o 19:40 Aleksandar Lazic napisał(a): > > Hi. > > I have now build haproxy with boringssl and it looks quite good. > > Is it the recommended way to simply make a git clone without any branch or > tag? > Does anyone know how the

Re: haproxy 1.9.2 with boringssl

wt., 22 sty 2019 o 19:40 Aleksandar Lazic napisał(a): > > Hi. > > I have now build haproxy with boringssl and it looks quite good. > > Is it the recommended way to simply make a git clone without any branch or > tag? > Does anyone know how the KeyUpdate can be tested? openssl s_client -connect