stable-bot: Bugfixes waiting for a release 2.2 (3), 2.1 (1), 1.8 (17)
Hi, This is a friendly bot that watches fixes pending for the next haproxy-stable release! One such e-mail is sent periodically once patches are waiting in the last maintenance branch, and an ideal release date is computed based on the severity of these fixes and their merge date. Responses to this mail must be sent to the mailing list. Last release 2.2.4 was issued on 2020-09-30. There are currently 3 patches in the queue cut down this way: - 1 MEDIUM, first one merged on 2020-10-02 - 2 MINOR, first one merged on 2020-10-02 Thus the computed ideal release date for 2.2.5 would be 2020-10-30, which is in four weeks or less. Last release 2.1.9 was issued on 2020-09-30. There are currently 1 patches in the queue cut down this way: - 1 MEDIUM, first one merged on 2020-09-30 Thus the computed ideal release date for 2.1.10 would be 2020-10-30, which is in four weeks or less. Last release 1.8.26 was issued on 2020-08-03. There are currently 17 patches in the queue cut down this way: - 8 MEDIUM, first one merged on 2020-08-05 - 9 MINOR, first one merged on 2020-08-03 Thus the computed ideal release date for 1.8.27 would be 2020-10-26, which is in three weeks or less. The current list of patches in the queue is: - 1.8 - MEDIUM : h2: report frame bits only for handled types - 1.8 - MEDIUM : ssl: does not look for all SNIs before chosing a certificate - 1.8 - MEDIUM : pattern: Renew the pattern expression revision when it is pruned - 1.8 - MEDIUM : listeners: do not pause foreign listeners - 1.8 - MEDIUM : mux-h2: Don't fail if nothing is parsed for a legacy chunk response - 2.1 - MEDIUM : ssl: crt-list negative filters don't work - 2.2 - MEDIUM : queue: make pendconn_cond_unlink() really thread-safe - 1.8 - MEDIUM : map/lua: Return an error if a map is loaded during runtime - 1.8 - MEDIUM : pattern: fix memory leak in regex pattern functions - 1.8 - MEDIUM : ssl: check OCSP calloc in ssl_sock_load_ocsp() - 1.8 - MINOR : config: Fix memory leak on config parse listen - 1.8 - MINOR : reload: do not fail when no socket is sent - 1.8 - MINOR : lua: Check argument type to convert it to IP mask in arg validation - 2.2 - MINOR : Fix several leaks of 'log_tag' in init(). - 1.8 - MINOR : startup: haproxy -s cause 100% cpu - 1.8 - MINOR : lua: Check argument type to convert it to IPv4/IPv6 arg validation - 1.8 - MINOR : threads: work around a libgcc_s issue with chrooting - 1.8 - MINOR : ssl: verifyhost is case sensitive - 1.8 - MINOR : dns: ignore trailing dot - 2.2 - MINOR : tcpcheck: Set socks4 and send-proxy flags before the connect call - 1.8 - MINOR : stats: use strncmp() instead of memcmp() on health states -- The haproxy stable-bot is freely provided by HAProxy Technologies to help improve the quality of each HAProxy release. If you have any issue with these emails or if you want to suggest some improvements, please post them on the list so that the solutions suiting the most users can be found.
Re: [PATCH v2 0/4] add set server ssl command
Hello William, Thank you for your answer. On Tue, Oct 6, 2020 at 7:17 PM William Lallemand wrote: > The problem with activating SSL on-the-fly is that SSL is not only an > on/off option but there are a lot of parameters that can be configured, > and that won't fit the server state file. I fear it will complicate a > lot of things in the future in this form. My plan was to iterate on this and add other possible parameters to be updatable on the fly. But now that you raised the "server state file", I remember it is used for the "load-server-state-from-file". So it is starting to be tricky if we add other parameters. I indeed overlooked the problem around `server state` as we use it externally in our control plane: if we detect a diff, we either try to make the change through the API, or through a reload in the worst case scenario. I overlooked the origin use case for "load-server-state-from-file" and we have built a lot of things on top of `show servers state`. > Maybe you could have pre-configured but disabled servers with SSL in your > configuration and enable them progressively with the CLI instead ? this is not an option for us as it would over-complexify our control plane. That being said, I now completely understand this patchset cannot be accepted as is unless we would agree on a list of parameters to be added to `show servers state`? Maybe a good opportunity to start a discussion and find alternative ways? -- William
Re: [PATCH v2 0/4] add set server ssl command
On Sun, Oct 04, 2020 at 08:13:11PM +0200, William Dauchy wrote: > Hello, > > This patchset is an attempt to add a new command for configure ssl on > server at runtime: > > - the first patch adds the possibility to observe the change on a `show > servers state`. > - the two next ones are only here to prepare the last one to add the > command. I added them separatly to facilitate the review. > `ssl_sock_prepare_srv_ctx` protection is not mandatory but I found it > safer while writing my patch. > - the last one is adding the new command. I'm not 100% sure of the > consequences of`prepare_srv` and `destroy_srv` but from what I read > and tested, it seems ok. > That's an interesting idea but I'm kind of confused about this. The problem with activating SSL on-the-fly is that SSL is not only an on/off option but there are a lot of parameters that can be configured, and that won't fit the server state file. I fear it will complicate a lot of things in the future in this form. Maybe you could have pre-configured but disabled servers with SSL in your configuration and enable them progressively with the CLI instead ? Willy has maybe a better suggestion about this. -- William Lallemand
Re: [PATCH] DOC: ssl: fix typo about ocsp files
On Tue, Oct 06, 2020 at 03:22:37PM +0200, William Dauchy wrote: > one of the last I saw in this section while working on github issue #872 > > might be backported in all still supported versions > > Signed-off-by: William Dauchy > --- > doc/configuration.txt | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/doc/configuration.txt b/doc/configuration.txt > index b01129f8f..a98284da3 100644 > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -1423,7 +1423,7 @@ ssl-load-extra-files > * >On the CLI, bundles are seen as separate files, and the bundle extension is >required to commit them. > > - OSCP files (.ocsp), issuer files (.issuer), Certificate Transparency > (.sctl) > + OCSP files (.ocsp), issuer files (.issuer), Certificate Transparency > (.sctl) >as well as private keys (.key) are supported with multi-cert bundling. > >"sctl": Try to load ".sctl" for each crt keyword. Thanks, merged. -- William Lallemand
[PATCH] DOC: ssl: fix typo about ocsp files
one of the last I saw in this section while working on github issue #872 might be backported in all still supported versions Signed-off-by: William Dauchy --- doc/configuration.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index b01129f8f..a98284da3 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1423,7 +1423,7 @@ ssl-load-extra-files * On the CLI, bundles are seen as separate files, and the bundle extension is required to commit them. - OSCP files (.ocsp), issuer files (.issuer), Certificate Transparency (.sctl) + OCSP files (.ocsp), issuer files (.issuer), Certificate Transparency (.sctl) as well as private keys (.key) are supported with multi-cert bundling. "sctl": Try to load ".sctl" for each crt keyword. -- 2.28.0
Bid Writing Workshops Via Zoom
NFP WORKSHOPS 18 Blake Street, York YO1 8QG 01133 280988 Affordable Training Courses for Charities, Schools & Public Sector Organisations UNSUBSCRIBE To unsubscribe please reply back replacing the subject line with: haproxy@formilux.org Unsubscribe requests will take effect within seven days. BID WRITING: THE BASICS ONLINE VIA ZOOM COST £95.00 TOPICS COVERED Do you know the most common reasons for rejection? Are you gathering the right evidence? Are you making the right arguments? Are you using the right terminology? Are your numbers right? Are you learning from rejections? Are you assembling the right documents? Do you know how to create a clear and concise standard funding bid? Are you communicating with people or just excluding them? Do you know your own organisation well enough? Are you thinking through your projects carefully enough? Do you know enough about your competitors? Are you answering the questions funders will ask themselves about your application? Are you submitting applications correctly? FORTHCOMING DATES & TIMES Mon 12 Oct 2020 10.00 to 12.30 Mon 26 Oct 2020 10.00 to 12.30 Mon 09 Nov 2020 10.00 to 12.30 Mon 23 Nov 2020 10.00 to 12.30 Mon 07 Dec 2020 10.00 to 12.30 BID WRITING: ADVANCED ONLINE VIA ZOOM COST £95.00 TOPICS COVERED Are you applying to the right trusts? Are you applying to enough trusts? Are you asking for the right amount of money? Are you applying in the right ways? Are your projects the most fundable projects? Are you carrying out trust fundraising in a professional way? Are you delegating enough work? Are you highly productive or just very busy? Are you looking for trusts in all the right places? How do you compare with your competitors for funding? Is the rest of your fundraising hampering your bids to trusts? Do you understand what trusts are ideally looking for? FORTHCOMING DATES & TIMES Tue 13 Oct 2020 10.00 to 12.30 Tue 27 Oct 2020 10.00 to 12.30 Tue 10 Nov 2020 10.00 to 12.30 Tue 24 Nov 2020 10.00 to 12.30 Tue 08 Dec 2020 10.00 to 12.30 PARTICIPANTS Staff members, volunteers, trustees or board members of charities, schools, not for profits or public sector organisations who intend to submit grant funding applications to charitable grant making trusts and foundations. People who provide advice to these organisations are also welcome. BOOKING DETAILS To book a workshop please google NFP Workshops to visit our website and follow the booking links. The online booking system accepts payment by debit card, credit card or paypal.