Hello,
On Wed, Apr 18, 2018 at 9:34 PM, Aurélien Nephtali
<aurelien.nepht...@gmail.com> wrote:
> Hello,
>
> I have some patches to support dynamically loading and unloading PEM
> certificates through the CLI. It is mainly a big refactoring of some
> part of the SSL code (th
et_dh()
- ssl_sock_load_dh_params() takes a BIO * instead of a char *
- ssl_sock_load_cert_chain_file() -> ssl_sock_load_cert_chain() + takes a
BIO * instead of a char *
Signed-off-by: Aurélien Nephtali <aurelien.nepht...@corp.ovh.com>
---
src/ssl_sock.c | 210 +++
Hello Emeric, everyone,
On Wed, May 23, 2018 at 9:39 PM, Aurélien Nephtali
wrote:
> Hello Emeric,
>
> On Tue, May 22, 2018 at 05:37:58PM +0200, Emeric Brun wrote:
>> Hi Auréline
>>
>> I see that you're using the domain to known the certificate to delete.
>>
>&
Hello Willy,
On Thu, May 31, 2018 at 9:02 PM, Willy Tarreau wrote:
> Hi Aurélien,
>
> On Thu, May 31, 2018 at 11:01:44AM +0200, Aurélien Nephtali wrote:
>> Anyone has more comments, ideas or remarks regarding these patches ?
>
> Not on the patches themselves, but I think
On Fri, Jun 1, 2018 at 11:13 AM, Aurélien Nephtali
wrote:
>
> We also need to agree on the payload format to use in the add command:
> only the PEM certificate is supported at the moment but when there
> will be OCSP + SCTL support it will become messy very quick.
> In my t
ine needs to end with a special
pattern: <<\n. Everything that follows will be left untouched by the CLI parser
and will be passed to the commands parsers.
Per-command support will need to be added to take advantage of this
feature.
Signed-off-by: Aurélien Nephtali <aurelien.nepht...
to
remember how many connections are still active on a particular source
(using round-robbin + an index into the range would otherwise have been
one solution)
I have some ideas but I would like to know the preferred way.
Thanks.
--
Aurélien Nephtali
counting on this
> pattern (and automatically eject server source+dest IP which have reached
> 64K concurrent connections).
Using a leastconn algorithm with very long connections will quickly fill the
list/tree with entries with a counter of 1.
>
> I have a question: what would be the impact on "retries" ? At first, we
> could use it as of today. But later, we may want to retry from a different
> source IP.
--
Aurélien Nephtali
:56 +0100
Subject: [PATCH 2/3] CLEANUP: cli: Remove a leftover debug message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This printf() was added in f886e3478d ("MINOR: cli: Add a command to
send listening sockets.").
Signed-off-by: Aurélien Nepht
PATCH 1/3] CLEANUP: ssl: Remove a duplicated #include
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
openssl/x509.h is included twice since commit fc0421fde ("MEDIUM: ssl:
add support for SNI and wildcard certificates").
Signed-off-by
mit" functions to their own parser').
Signed-off-by: Aurélien Nephtali <aurelien.nepht...@corp.ovh.com>
---
src/cli.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cli.c b/src/cli.c
index 65914451..3cae0f31 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -118
-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This bug is present since 7a4a0ac71d ("MINOR: cli: add a new "show fd"
command").
This should be backported to 1.8.
Signed-off-by: Aurélien Nephtali <aurelien.nepht...@corp.ovh.com>
---
src/cli.c | 2 +-
roxy uses the empty
line as a delimiter to mark an end of output for each command"
Signed-off-by: Aurélien Nephtali <aurelien.nepht...@corp.ovh.com>
---
src/cli.c | 2 +-
src/ssl_sock.c| 4 ++--
src/stick_table.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
dif
Hello,
This patch fixes a crash when the CLI is fed with too many arguments:
$ seq -s ' ' 0 64 | socat /tmp/sock1 -
--
Aurélien Nephtali
From 09033c7d2cf1119ef3f6590fcf0c662bfaebf612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Nephtali?= <aurelien.nepht...@corp.ovh.com>
Dat
I also thought about that but discarded the idea since I wanted
something that could easily be used on the command line without major
data preprocessing.
> Just my two cents, I'm also interested in people's ideas regarding this.
Thanks for the comments, I will think about it and continue to monitor
other ideas!
--
Aurélien Nephtali
+57,11 @@ struct appctx {
> > /* 3 unused bytes here */
> > unsigned short state; /* Internal appctx state */
> > unsigned int st0; /* CLI state for stats, session state for
> > peers */
> > - unsigned int st1; /* prompt for stats, session error for
> > peers */
> > + unsigned int st1; /* prompt/multiline for stats, session
> > error for peers */
> > +#define APPCTX_CLI_ST1_PROMPT(1 << 0)
> > +#define APPCTX_CLI_ST1_MULTILINE (1 << 1)
>
> Please don't put #define in the middle of the structs, they're harder to
> find later when reading the code, and it's harder also to make other
> defines depend on them. Better place them at the top of the file with the
> other ones. Simply mention in st1 that it makes use of APPCTX_CLI_ST1_*
> and that's fine.
Sure.
--
Aurélien Nephtali
ssl_sock_load_cert_chain_file() -> ssl_sock_load_cert_chain() + takes a
BIO * instead of a char *
Signed-off-by: Aurélien Nephtali <aurelien.nepht...@corp.ovh.com>
---
src/ssl_sock.c | 210 +
1 file changed, 136 insertions(+),
Willy,
On Wed, Apr 18, 2018 at 08:36:05AM +0200, Willy Tarreau wrote:
> > The problem is: the main parser (cli_parse_request()) does not have any
> > idea of what is an argument and how many there should be so it can't
> > tell if the command syntax is valid or not before passing it to the
> >
Hello Willy,
On Wed, Apr 18, 2018 at 07:38:24AM +0200, Willy Tarreau wrote:
> Hi Aurélien,
>
> On Tue, Apr 17, 2018 at 09:06:35PM +0200, Aurélien Nephtali wrote:
> > Example:
> > If this command is entered:
> > set server bk/fe <<
> > state ready
TF-8
Content-Transfer-Encoding: 8bit
Some error paths (especially those followed when running out of memory)
can set the error message to NULL. In order to avoid a crash, use a
generic message ("Out of memory") when this case arises.
It should be backported to 1.8.
Signed-of
ault error message if the function called does not fill
'err'.
In both cases only use CLI_ST_PRINT_FREE if 'err' is not NULL otherwise
use a static default message.
It should be backported to 1.8.
Signed-off-by: Aurélien Nephtali <aurelien.nepht...@corp.ovh.com>
On Mon, Apr 16, 2018 at 4:19 PM, Willy Tarreau <w...@1wt.eu> wrote:
> Hi Aurélien,
>
> On Sun, Apr 15, 2018 at 09:58:49AM +0200, Aurélien Nephtali wrote:
>> Hello,
>>
>> Here is a small patch to fix a potential crash when using
>> CLI_ST_PRINT_
Hello,
Here is a small patch to add a missing spinlock init.
Thanks.
--
Aurélien Nephtali
0001-BUG-MINOR-pattern-Add-a-missing-HA_SPIN_INIT-in-pat_.patch
Description: Binary data
e commands could benefit from using a payload but for a start I only
did these two.
Thanks for all your time, I really appreciated it.
--
Aurélien Nephtali
>From f7b1a17afff1d054d02300535f03c7921e8ef7df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Nephtali?= <aurelien.nepht...@corp.ovh.c
Hello Willy,
On Fri, Apr 20, 2018 at 05:12:22PM +0200, Willy Tarreau wrote:
> Hi Aurélien,
>
> It seems to me that some places in the parser look for "<<" anywhere on the
> line (mainly the strstr() which even skips trailing spaces/tabs), and some
> parts of the logic only expect it at the end.
>
m ("set ssl ocsp-response"
and "add map"/"add acl") have seen their syntax enhanced to take advantage
of it (i.e.: accept base64 on multiple lines or accept multiple key/value
pairs).
Signed-off-by: Aurélien Nephtali <aurelien.nepht...@corp.ovh.com>
---
doc/
Hello,
On Fri, Mar 23, 2018 at 09:43:50PM +0100, Aurélien Nephtali wrote:
> Hello,
>
> This patch adds multi-line mode support to the CLI.
[...]
Please consider reviewing the attached patch instead as it fixes a
compiler warning.
--
Aurélien.
>From 53356f83dab6483512d2db1fae87
-e "multiline;set ssl ocsp-response $(base64 ocsp.der)\n" |
socat /tmp/sock1 -
OCSP Response updated!
$
===
$ echo -e "multiline;set\nserver\nbk/srv\nstate\nready\n" | socat /tmp/sock1 -
$
===
--
Aurélien Nephtali
0001-MEDIUM-cli-Add-multi-line-mode-support.patch
Description: B
would be the best/upstreamable way to do ?
Thanks !
--
Aurélien Nephtali
o solve the case of commands with an
unknown number of arguments. I do not know if there are some yet but
they could then safely be added.
In the particular case of a PEM certificate, the handler would wait
for an empty line and it would know it can treat what is after the
known arguments as being the certificate without trying to guess it is
complete - in the case where there would be no empty line.
Thanks !
--
Aurélien Nephtali
Willy,
On Thu, Apr 26, 2018 at 12:32 PM, Willy Tarreau <w...@1wt.eu> wrote:
> Thanks for this. All of this looks OK to me. Please just let me know if
> you want me to merge them now or if you expect other adjustments.
I think it's OK for me.
Thanks !
--
Aurélien Nephtali
31 matches
Mail list logo