Re: Capturing browser TLS cipher suites

Hi Thierry, On Sat, Feb 25, 2017 at 01:01:54PM +0100, thierry.fourn...@arpalert.org wrote: > The patch implementing this idea is in attachment. It returns the > client-hello cioher list as binary, hexadecimal string, xxh64 and with > the decoded ciphers. Is this supposed to be the last version ?

Re: HTTP 429 Too Many Requests (tarpit deny_status)

Hi Willy, On Fri, Feb 10, Willy Tarreau wrote: > > How should I send the patches ? One commit for > > http_server_error/http_get_status_idx changes and tarpit deny_status > > parser / doc in another commit ? > > Yes that's the prefered way to do it, one commit per architecture or > functional

Re: Capturing browser TLS cipher suites

Hi Thierry > Le 25 févr. 2017 à 13:01, thierry.fourn...@arpalert.org a écrit : > > Hi all, > > On Thu, 9 Feb 2017 07:37:51 +0100 > Willy Tarreau wrote: > >> Hi Olivier, >> >> On Sat, Feb 04, 2017 at 11:52:30AM +0100, Olivier Doucet wrote: >>> Hello, >>> >>> I'm trying to

Re: pre-connect header problem

On 06/03/2017 14:45, Simon E. Silva Lauinger wrote: bind *:443 name *:443 ssl crt /path/to/cert.pem mode tcp Did you also try with mode http on the frontend? .marcoc

[PATCH] BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored.

This fix is for current 1.8dev with "MEDIUM: ssl: remove ssl-options from crt-list » apply. 0001-BUG-MEDIUM-ssl-in-bind-line-ssl-options-after-crt-ar.patch Description: Binary data

Re: Capturing browser TLS cipher suites

On Mon, 6 Mar 2017 12:35:47 +0100 Willy Tarreau wrote: > Hi Thierry, > > On Sat, Feb 25, 2017 at 01:01:54PM +0100, thierry.fourn...@arpalert.org wrote: > > The patch implementing this idea is in attachment. It returns the > > client-hello cioher list as binary, hexadecimal string,

Re: Capturing browser TLS cipher suites

On Mon, 6 Mar 2017 14:54:44 +0100 Emmanuel Hocdet wrote: > Hi Thierry > > > Le 25 févr. 2017 à 13:01, thierry.fourn...@arpalert.org a écrit : > > > > Hi all, > > > > On Thu, 9 Feb 2017 07:37:51 +0100 > > Willy Tarreau wrote: > > > >> Hi Olivier, > >> > >> On

Re: Capturing browser TLS cipher suites

On Mon, Mar 06, 2017 at 06:30:34PM +0100, thierry.fourn...@arpalert.org wrote: > On Mon, 6 Mar 2017 14:54:44 +0100 > Emmanuel Hocdet wrote: > > xxh64 is not a fingerprint class algorithme, sha256 should be use. > > > Hi Manu, > > My choice is driven regarding these hash

Re: Capturing browser TLS cipher suites

Hi, This is the new patch without bug. The previous it was too quicly tested. Thierry On Mon, 6 Mar 2017 18:30:33 +0100 thierry.fourn...@arpalert.org wrote: > On Mon, 6 Mar 2017 12:35:47 +0100 > Willy Tarreau wrote: > > > Hi Thierry, > > > > On Sat, Feb 25, 2017 at 01:01:54PM

Re: Capturing browser TLS cipher suites

On Mon, Mar 06, 2017 at 06:30:33PM +0100, thierry.fourn...@arpalert.org wrote: > > > + /* Next three bytes are the length of the message. The total length > > > + * must be this decoded length + 4. If the length given as argument > > > + * is not the same, we abort the protocol dissector. > > >

Re: Capturing browser TLS cipher suites

Your read my response one minute too early. The right path is in the second email I sent. Sorry. On Mon, 6 Mar 2017 18:38:30 +0100 Willy Tarreau wrote: > On Mon, Mar 06, 2017 at 06:30:33PM +0100, thierry.fourn...@arpalert.org wrote: > > > > + /* Next three bytes are the

Re: [PATCH] BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored.

On Mon, Mar 06, 2017 at 04:50:02PM +0100, Emmanuel Hocdet wrote: > This fix is for current 1.8dev with "MEDIUM: ssl: remove ssl-options from > crt-list » apply. Strangely it refuses to apply to ssl_sock.c. 14 of 14 hunks rejected. I tried by hand (patch -p1, patch -lp1), same result. I don't

Re: HaProxy Hang

On Mon, 06 Mar 2017 01:35:19 -0500, Willy Tarreau wrote: On Fri, Mar 03, 2017 at 07:54:46PM +0300, Dmitry Sivachenko wrote: > On 03 Mar 2017, at 19:36, David King wrote: > > Thanks for the response! > Thats interesting, i don't suppose you have

Re: Capturing browser TLS cipher suites

On Mon, Mar 06, 2017 at 07:19:00PM +0100, thierry.fourn...@arpalert.org wrote: > Your read my response one minute too early. The right path is in the > second email I sent. Sorry. Thierry, please look below : > On Mon, 6 Mar 2017 18:38:30 +0100 > Willy Tarreau wrote: > > > And

Re: HaProxy Hang

Willy, per your comment on /dev/random exhaustion. I think running haveged on servers doing crypto work is/should be best practice. jerry On 3/6/17 12:02 PM, Willy Tarreau wrote: Hi Mark, On Mon, Mar 06, 2017 at 02:49:28PM -0500, Mark S wrote: As for the timing issue, I can add to the

Re: Capturing browser TLS cipher suites

On Mon, Mar 06, 2017 at 09:31:40PM +0100, thierry.fourn...@arpalert.org wrote: > You're right, I'm hurry and tired. I dont sew the problem with > comparisons. I think that the attached version is ok. I reviewed all > comments. OK this one looks good. I've just met a build issue here :

Re: HaProxy Hang

Hi Mark, On Mon, Mar 06, 2017 at 02:49:28PM -0500, Mark S wrote: > As for the timing issue, I can add to the discussion with a few related data > points. In short, system uptime does not seem to be a commonality to my > situation. thanks! > 1) I had this issue affect 6 servers, spread across 5

Re: HaProxy Hang

On Mon, 06 Mar 2017 15:02:43 -0500, Willy Tarreau wrote: OK so that means that haproxy could have hung in a day or two, then your case is much more common than one of the other reports. If your fdront LB is fair between the 6 servers, that could be related to a total number of

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Dear Willy and Dmitry, Am 06.03.2017 um 11:16 schrieb Willy Tarreau: > with the attachment now (thanks Dmitry) hm, I'm not able to apply the patch: git apply --ignore-space-change --ignore-whitespace 0001-BUG-MEDIUM-tcp-don-t-poll-for-write-when-connect-suc.patch But I get:

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

On Mon, Mar 06, 2017 at 11:19:18PM +0100, Matthias Fechner wrote: > Dear Willy and Dmitry, > > Am 06.03.2017 um 11:16 schrieb Willy Tarreau: > > with the attachment now (thanks Dmitry) > > hm, I'm not able to apply the patch: > git apply --ignore-space-change --ignore-whitespace >

[SPAM] 专业做化工产品的国际快递的。粉末，液体。无需鉴定报告

您好！ 我们是专业做化工产品的国际快递的。粉末，液体。无需鉴定报告优质的包装材料保护货物样品在 安全运输的情况下美观大方，价格优惠客服一对一的服务 期待与您合作。 主要航线是：FEDEX DHL TNT EMS，UPS。大货(21KG以上)另有优惠。 五大航线强势+贴心跟单+及时的信息通知+门到门服务=您的满意。 价格可以在报价基础上另行优惠，欢迎咨询。 手机:18930306441联系:张琴 QQ:1755462759 电话: 021-68095814 优势服务： 第一，我们公司有5大航线别人走不了的快递我们可以发我们会根据国家来判断航线考虑性价比

PAYMENT CONFIRMATION - FW: OV14229PA0620339 - OTT Payment Advice

Attention,   Attached is the  payment transferred to your bank account for INV- 081116 as directed by our customer to you, we are sorry for the delay. Please review for your reference PDF id is INVOICEPAYMENT1.   Thanks & Best Regards,   Sarah               -- Forwarded message

Re: [RFC PATCH] MEDIUM: persistent connections for SSL checks

Thanks for the response! On Mon, Mar 6, 2017 at 1:34 AM, Willy Tarreau wrote: > > [snip] > > Also it is not normal at all that SSL checks lead to CPU saturation. > Normally, health checks are expected to store the last SSL_CTX in the > server struct for later reuse, leading to a

Re: [RFC PATCH] MEDIUM: persistent connections for SSL checks

On Mon, Mar 06, 2017 at 06:34:09PM -0800, Steven Davidovitz wrote: > Interestingly, as far as I can tell, we are running into the problem > described in this forum post: > http://discourse.haproxy.org/t/backend-encryption-and-reusing-ssl-sessions/503/4 > Switching the conn_data_shutw_hard call to

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Thanks Willy, Am 07.03.2017 um 00:32 schrieb Willy Tarreau: > Sorry, when I said "revert" I meant typically like this : > > patch -Rp1 < 0001-BUG-MEDIUM-tcp-don-t-poll-for-write-when-connect-suc.patch > > I've just tested here on 1.7.3 and it does apply correctly. > > With git apply you'll have

Re: [RFC PATCH] MEDIUM: persistent connections for SSL checks

Hi Steven, On Wed, Mar 01, 2017 at 04:03:17PM -0800, Steven Davidovitz wrote: > Having hundreds of HTTP SSL health checks leads to CPU saturation. > This patch allows HTTP health checks without any http-expect directives > to keep the connection open for subsequent health checks. This patch >

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

On Mon, Mar 06, 2017 at 09:59:21AM +0100, Matthias Fechner wrote: > Hi Georg, > > Am 06.03.2017 um 09:43 schrieb Georg Faerber: > > I'm not running FreeBSD myself, but have a look at [1]: In the > > follow-ups to this thread there are two more people reporting problems. > > > > [1]

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Matthias, On 17-03-06 09:34:07, Matthias Fechner wrote: > are problem with haproxy 1.7.3 on FreeBSD 11.0-p8 known? I'm not running FreeBSD myself, but have a look at [1]: In the follow-ups to this thread there are two more people reporting problems. Cheers, Georg [1]

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi, it would be cool if somebody could open a PR at https://bugs.freebsd.org/ I personally don't use FreeBSD 11 for any of my HAProxy-installations (yet), so I'm not really affected (yet) - but thanks for the heads-up. Regards, Rainer

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Georg, Am 06.03.2017 um 09:43 schrieb Georg Faerber: > I'm not running FreeBSD myself, but have a look at [1]: In the > follow-ups to this thread there are two more people reporting problems. > > [1] https://www.mail-archive.com/haproxy@formilux.org/msg25093.html no, this cannot be the

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Dear Rainer, Am 06.03.2017 um 09:52 schrieb rai...@ultra-secure.de: > it would be cool if somebody could open a PR at > > https://bugs.freebsd.org/ > > I personally don't use FreeBSD 11 for any of my HAProxy-installations > (yet), so I'm not really affected (yet) - but thanks for the heads-up.

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Am 2017-03-06 10:05, schrieb Matthias Fechner: Dear Rainer, I opened a bug report here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217576 I have only one server already upgraded to FreeBSD 11. The 10.3 installation are running fine with haproxy 1.7.3. Thanks!

Re: [PATCH] BUILD: ssl: fix build with -DOPENSSL_NO_DH

On Fri, Mar 03, 2017 at 05:12:55PM +0100, Emmanuel Hocdet wrote: > Build without DH support is broken. This fix is for 1.8dev. > It significantly reduces the size and initial memory footprint of haproxy. Hmmm this one does not apply :-( Willy

Re: [PATCH 1/2] MINOR: ssl: isolate SSL_CTX_new with initial negotiation environnement

On Fri, Mar 03, 2017 at 01:28:40PM +0100, Emmanuel Hocdet wrote: > New version of this patch. > Little cleanup but much better comment. Applied, thanks Manu. Willy

Re: [PATCH] BUILD: ssl: fix build with -DOPENSSL_NO_DH

On Mon, Mar 06, 2017 at 10:13:31AM +0100, Willy Tarreau wrote: > On Fri, Mar 03, 2017 at 05:12:55PM +0100, Emmanuel Hocdet wrote: > > Build without DH support is broken. This fix is for 1.8dev. > > It significantly reduces the size and initial memory footprint of haproxy. > > Hmmm this one does

Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Dear all, are problem with haproxy 1.7.3 on FreeBSD 11.0-p8 known? I have the problem that I got a lot of timeout for all websites that are behind haproxy. Haproxy does terminate the SSL connection and forwards to nginx. Before haproxy I have a sslh running. Downgrading to version 1.7.2

Re: openssl-1.1 SNI callback causing client failures

On Fri, Mar 03, 2017 at 03:55:05PM +0100, Emmanuel Hocdet wrote: > Patch candidat to merge in 1.8dev. > I think this patch should be backported, at least in versions compat with > openssl-1.1.0. Applied, thanks Manu! Willy

Re: Client Cert Improvements

> Le 4 mars 2017 à 15:03, mlist a écrit : > For those first 3 points we don't need renegotiation. > Current implementation is buggy, but once we merge: "BUG/MEDIUM: ssl: fix verify/ca-file per certificate" > all those issues will be addressed, without

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

with the attachment now (thanks Dmitry) On Mon, Mar 06, 2017 at 10:44:56AM +0100, Willy Tarreau wrote: > On Mon, Mar 06, 2017 at 09:59:21AM +0100, Matthias Fechner wrote: > > Hi Georg, > > > > Am 06.03.2017 um 09:43 schrieb Georg Faerber: > > > I'm not running FreeBSD myself, but have a look at