and voila:
0001-MINOR-ssl-add-ssl-skip-self-issued-ca-global-option.patch
Description: Binary data
> Le 21 avr. 2020 à 10:58, William Lallemand a écrit :
>
> On Fri, Apr 03, 2020 at 10:34:12AM +0200, Emmanuel Hocdet wrote:
>>
>>> Le 31 mars 2020 à 18:40, William Lallemand a écrit
>>> :
>>>
>>> On Thu, Mar 26, 2020 at 06:29:48PM +0
> Le 31 mars 2020 à 18:40, William Lallemand a écrit :
>
> On Thu, Mar 26, 2020 at 06:29:48PM +0100, William Lallemand wrote:
>>
>> After some thinking and discussing with people involved in this part of
>> HAProxy. I'm not feeling very confortable with setting this behavior by
>> default, on
> Le 26 mars 2020 à 14:11, Илья Шипицин a écrit :
>
>
>
> чт, 26 мар. 2020 г. в 17:27, Emmanuel Hocdet <mailto:m...@gandi.net>>:
>
> > Le 26 mars 2020 à 13:02, Илья Шипицин > <mailto:chipits...@gmail.com>> a écrit :
> >
> &g
> Le 26 mars 2020 à 13:02, Илья Шипицин a écrit :
>
> RootCA is needed if you send cross certificate as well.
>
> It is very rare but legitimate case
It’s only for self issued CA, it should be safe, right?
Hi,
Patch rebase from master.
> Le 6 mars 2020 à 17:06, Emmanuel Hocdet a écrit :
>
> Hi,
>
>
> Patch proposal.
> I will update the documentation if this feature is approved.
>
++
Manu
0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch
Description: Binary data
Hi,This patch remove #ifdef compatibility for add cert chain to CTX, goal is to simplify code.It’s an extract from "[PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx » proposal.++Manu
0001-MINOR-ssl-rework-add-cert-chain-to-CTX-to-be-libssl-.patch
Description: Binary data
> Le 23 mars 2020 à 15:12, William Lallemand a écrit :
>
> On Mon, Mar 23, 2020 at 02:50:03PM +0100, Emmanuel Hocdet wrote:
>>
>> As discussed in #559
>>
>
> Can't we return directly a STACK_OF(X509)* structure instead of the
> struct issuer_chain *
As discussed in #559
0001-CLEANUP-ssl-rename-ssl_get_issuer_chain-to-ssl_get0_.patch
Description: Binary data
Hi,
This issue was introduced by #516.
find_chain must not be freed.
patch attached.
> Le 21 mars 2020 à 15:23, Илья Шипицин a écrit :
>
> Hello,
>
> I attached patch that fixes memory leak, described in #559
>
++
Manu
0001-BUG-MINOR-ssl-memory-leak-when-find_chain-is-NULL.patch
Descript
Hi,
Patch proposal.
I will update the documentation if this feature is approved.
++
Manu
0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch
Description: Binary data
Hi,
« ca-no-names-file » renamed to « ca-verify-file »
++
Manu
0001-MINOR-ssl-add-ca-verify-file-directive.patch
Description: Binary data
rebase from dev branch:(https://github.com/haproxy/haproxy/issues/404)++ManuLe 20 déc. 2019 à 17:00, Emmanuel Hocdet <m...@gandi.net> a écrit :patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to somet
Hi,Le 18 févr. 2020 à 17:49, Emmanuel Hocdet <m...@gandi.net> a écrit :Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/, and resolve chain and ocsp_issuerwhen needed. « show ssl ce
Hi,Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :I think we will probably need more information in the "show ssl cert"output in the future so the users can debug this kind of feature easily.Yes. Show the chain-filename would be very helpful.For that i think
> Le 18 févr. 2020 à 14:36, William Lallemand a écrit :
>
> On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote:
>>
>>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit :
>>>
>>>> Can you add a little bit of explanation on how th
Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :Can you add a little bit of explanation on how the discovery of theissuer is done in the documentation?okdocumentation updated:
0001-MINOR-ssl-add-issuers-chain-path-directive.patch
Description: Binary data
Hi William
> Le 14 févr. 2020 à 15:59, William Lallemand a écrit :
>
> On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote:
>> Hi,
>>
>> Is there any hope that this proposal will be considered before HAproxy 2.2?
>>
>> ++
>> Manu
&g
Hi,
Is there any hope that this proposal will be considered before HAproxy 2.2?
++
Manu
> Le 31 janv. 2020 à 16:06, Emmanuel Hocdet a écrit :
>
>
>> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet a écrit :
>
>>
>> I will send a new patch for « issuers
> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet a écrit :
>
> I will send a new patch for « issuers-chain-path » with corrections.
>
0001-MINOR-ssl-add-issuers-chain-path-directive.patch
Description: Binary data
Hi William,
> Le 27 janv. 2020 à 16:55, Emmanuel Hocdet a écrit :
>>
>> With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain
>> bar.pem]’,
>> deduplicate chain look like deduplicate ca-file.
>> Find ocsp_issuer with this chain doesn’t w
Hi William,
>
> With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain
> bar.pem]’,
> deduplicate chain look like deduplicate ca-file.
> Find ocsp_issuer with this chain doesn’t work directly, but it seems doable.
> For CLI, reload cert when chain is updated seem also complicate
> Le 24 janv. 2020 à 16:38, William Lallemand a écrit :
>
> On Fri, Jan 24, 2020 at 01:22:05PM +0100, Emmanuel Hocdet wrote:
>>
>> Hi William,
>>
> Hello Manu!
>
>>> Le 23 janv. 2020 à 16:20, William Lallemand a
>>> écrit :
>>>
Hi Tim,
> Le 23 janv. 2020 à 17:21, Tim Düsterhus a écrit :
>
> Manu,
>
> Am 21.01.20 um 12:42 schrieb Emmanuel Hocdet:
>> Patches updated, depend on "[PATCH] BUG/MINOR: ssl:
>> ssl_sock_load_pem_into_ckch is not consistent"
>
> Out of curiosity:
&g
Hi William,
> Le 23 janv. 2020 à 16:20, William Lallemand a écrit :
>
> On Tue, Jan 21, 2020 at 12:42:04PM +0100, Emmanuel Hocdet wrote:
>> Hi,
>>
>> Patches updated, depend on "[PATCH] BUG/MINOR: ssl:
>> ssl_sock_load_pem_into_ckch is not consistent&q
Following discussion from "[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch
is not consistent ».
0001-BUG-MINOR-ssl-ocsp_issuer-must-be-set-in-the-right-w.patch
Description: Binary data
> Le 23 janv. 2020 à 11:19, William Lallemand a écrit :
>
> On Wed, Jan 22, 2020 at 05:22:51PM +0100, Emmanuel Hocdet wrote:
>>
>>> Le 22 janv. 2020 à 15:56, William Lallemand a
>>> écrit :
>>>
>> Indeed, and the case of ckch->ocsp_issuer
> Le 22 janv. 2020 à 15:56, William Lallemand a écrit :
>
> On Mon, Jan 20, 2020 at 05:13:13PM +0100, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> Proposal to fix the issue.
>>
>
> The purpose at the beginning was to be able to keep a .dh / .ocsp et
Hi,Patches updated, depend on "[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent"++ManuLe 10 avr. 2019 à 13:23, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi,Updated patch serie:Fix OpenSSL < 1.0.2 compatibilty.More generic key for issuers ebtree.++Manu
Hi,
A last patch for today.
++
Manu
0001-MINOR-ssl-accept-verify-bind-option-with-set-ssl-cer.patch
Description: Binary data
Hi,
Proposal to fix the issue.
++
Manu
0001-BUG-MINOR-ssl-ssl_sock_load_pem_into_ckch-is-not-con.patch
Description: Binary data
Hi,
Fix memory leaks with « set ssl cert ».
++
Manu
0001-BUG-MINOR-ssl-ssl_sock_load_ocsp_response_from_file-.patch
Description: Binary data
0002-BUG-MINOR-ssl-ssl_sock_load_issuer_file_into_ckch-me.patch
Description: Binary data
0003-BUG-MINOR-ssl-ssl_sock_load_sctl_from_file-memory-le.
patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to something like ca-end-file.Refer to https://github.com/haproxy/haproxy/issues/404 discussion.Le 19 déc. 2019 à 13:10, Emmanuel Hocdet <m...@gandi.net>
With this proposition, ca-root-file should be rename to something like
ca-end-file.
Refer to https://github.com/haproxy/haproxy/issues/404
<https://github.com/haproxy/haproxy/issues/404> discussion.
> Le 19 déc. 2019 à 13:10, Emmanuel Hocdet a écrit :
>
>
> Hi,
>
Hi,
The purpose of this patch is to fix #404 and keep compatibility with actual
"ca-file » directive for bind line.
++
Manu
0001-MINOR-ssl-add-ca-root-file-directive.patch
Description: Binary data
Hi,
address #394
++
Manu
0001-BUG-MINOR-ssl-certificate-choice-can-be-unexpected-w.patch
Description: Binary data
Hi,
> Le 2 déc. 2019 à 08:12, William Lallemand a écrit :
>
> It seems to have break the build on centos 6, could you take a look at this
> ticket?
>
> https://github.com/haproxy/haproxy/issues/385
>
>
Fix tested with openssl 1.0.1
++
Manu
0001-BUG-MINOR-ssl-fix-X509-compatibility-for-op
Hi,
A forgotten fix, comment updated.
++
Manu
0001-BUG-MINOR-ssl-fix-SSL_CTX_set1_chain-compatibility-f.patch
Description: Binary data
Patches update, should address William’s comments.
0001-MINOR-ssl-deduplicate-ca-file.patch
Description: Binary data
0002-MINOR-ssl-compute-ca-list-from-deduplicate-ca-file.patch
Description: Binary data
0003-MINOR-ssl-deduplicate-crl-file.patch
Description: Binary data
Hi,
> Le 27 nov. 2019 à 03:46, Willy Tarreau a écrit :
>
>> @@ -5046,7 +5046,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
>> struct ssl_bind_conf *ssl_
>> NULL);
>>
>> if (ecdhe == NULL) {
>> +#if defined(SSL_CTX_set_ecdh_auto)
>>
Hi William,
> Le 22 nov. 2019 à 17:34, William Lallemand a écrit :
>
> Hi Manu,
>
> I have a few questions/remarks below:
>
>> Subject: [PATCH 1/3] MINOR: ssl: deduplicate ca-file
>> [...]
>>
>> +static int ssl_store_load_locations_file(X509_STORE **store_ptr, char *path)
>> +{
>> +struct
Fix bad merge from my branch,
> Le 22 nov. 2019 à 11:35, Emmanuel Hocdet a écrit :
>
>
> Patches update with compat lib-ssl and crl-file.
> Deduplicate Verify-stuff in memory will prevent file access when updating a
> certificate with CLI.
0001-MINOR-ssl-dedupli
Hi,
> Le 29 oct. 2019 à 07:59, Willy Tarreau a écrit :
>
> Please, let's revisit this after the release. The only people able to
> have a look at this and to have an opinion on it are all busy finishing
> this release.
>
Patches update with compat lib-ssl and crl-file.
Deduplicate Verify-stuf
Hi,
Very difficult to trigger the bug, except with spécific test configuration like:
crt-list:
cert.pem !www.dom.tld
cert.pem *.dom.tld
If you can consider the patch.
Thank's
Manu
0001-BUG-MINOR-ssl-fix-crt-list-neg-filter-for-openssl-1..patch
Description: Binary data
Hi,
If you can consider the patch (related to CLI cert update)
Thank's
Manu
0001-BUG-MINOR-ssl-ssl_pkey_info_index-ex_data-can-store-.patch
Description: Binary data
Hi,
add a second patch to address ca-list case.
++
Manu
> Le 24 oct. 2019 à 12:14, Emmanuel Hocdet a écrit :
>
> Hi,
>
> Little patch with big win when ca-file is used in server line.
>
> ++
> Manu
>
> <0001-MINOR-ssl-deduplicate-ca-file.patch>
>
0
Hi,
Little patch with big win when ca-file is used in server line.
++
Manu
0001-MINOR-ssl-deduplicate-ca-file.patch
Description: Binary data
> Le 27 sept. 2019 à 12:23, Geoff Simmons a écrit :
>
> On 9/26/19 19:27, Emmanuel Hocdet wrote:
>
>>> And I wonder if there are situations in which someone will want to
>>> specifically choose one source of truth for authority over the other.
>>> Suppo
> Le 26 sept. 2019 à 18:10, Geoff Simmons a écrit :
>
> On 9/26/19 11:43, Emmanuel Hocdet wrote:
>>
>> Proposal reworking after playing with « authority » and look at how « src
>> »/« dst » are working.
>>
>> Authority » can come from transpor
Hi Tim,
> Le 26 sept. 2019 à 15:11, Tim Düsterhus a écrit :
>
> Manu,
>
> Am 26.09.19 um 11:43 schrieb Emmanuel Hocdet:
>> Included my patch for that proposal. (could be split with comments from this
>> mail)
>
> Did you forgot to actually attach the patch
Hi,Proposal reworking after playing with « authority » and look at how « src »/« dst » are working.Authority » can come from transport layer (TLS), ProxyV2 TLV or « set-authority ».« src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol and « set-{src,dst} »I propose to do the sa
Hi,
Please consider this patch.
Thank’s
Manu
0001-BUG-MINOR-build-fix-event-ports-Solaris.patch
Description: Binary data
patch update with bug fix
> Le 10 sept. 2019 à 14:19, Emmanuel Hocdet a écrit :
>
>
> Hi,
>
> Included, my first proposal for « set-authority » action, to set
> custom "authority" sample fetch.
>
> Use case could be to use « sni authority » in
Hi,
Included, my first proposal for « set-authority » action, to set
custom "authority" sample fetch.
Use case could be to use « sni authority » in server line.
For "proxy-v2-options authority », authority is pick from custom
authority (« set-authority »), ppv2 authority or ssl_fc_sni.
Sample
> Le 31 août 2019 à 12:29, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Thu, Aug 29, 2019 at 03:22:11PM +0200, Emmanuel Hocdet wrote:
>> This patch follows Geoff's patch.
>
> Thanks for this. I didn't remember we automatically copied the SNI
> into the
Hi,
This patch follows Geoff's patch.
++
Manu
0001-MINOR-send-proxy-v2-sends-authority-TLV-according-to.patch
Description: Binary data
Hi Geoff,
For:
>
> @@ -630,6 +631,17 @@ int conn_recv_proxy(struct connection *conn, int flag)
> conn->proxy_netns = ns;
> break;
> }
> +
> + case PP2_TYP
> Le 22 août 2019 à 14:40, Willy Tarreau a écrit :
>
> On Thu, Aug 22, 2019 at 11:36:00AM +0200, Geoff Simmons wrote:
>
>> I suspect that there are other ways that the authority TLV can be useful
>> for haproxy besides the specific Varnish case. Someone connecting via
>> TLS, for example, migh
HI Geoff, Willy
Great to see TLS onloader continue.
> Le 22 août 2019 à 16:33, Geoff Simmons a écrit :
>
> On 8/22/19 14:40, Willy Tarreau wrote:
>>
>>> I would suggest naming it something like fc_authority or
>>> fc_pp_authority, to be specific about where it came from.
>
> Since you use
Hi,
Two patches to fix (and simplify) 0-RTT for BoringSSL.
If you can consider them.
++
Manu
0001-BUG-MINOR-ssl-fix-0-RTT-for-BoringSSL.patch
Description: Binary data
0002-MINOR-ssl-ssl_fc_has_early-should-work-for-BoringSSL.patch
Description: Binary data
Hi Willy,Le 1 août 2019 à 10:07, Willy Tarreau a écrit :Hi Manu,On Travis CI there was a fairly recent regression on BoringSSL whichhappened between 03e09f3 and a7a0f99 a day ago. It breaks on definitionof EVP_PKEY_base_id() in openssl-compat.h, which was not modified, andI guess this
Hi,
This patch is an update to follow the Lukas's one.
Only BoringSSL case is addressed, because i test it for BoringSSL.
It could be used by LibreSSL for "dontlognull" to work.
++
Manu
0001-BUG-MINOR-ssl-no-empty-handshake-detection-for-Borin.patch
Description: Binary data
> Le 4 juil. 2019 à 18:55, Илья Шипицин a écrit :
>
> can you provide some comment around code ?
>
> I think almost nobody can read such code
>
> чт, 4 июл. 2019 г. в 21:17, Emmanuel Hocdet <mailto:m...@gandi.net>>:
> Hi,
>
> This thread reminds
Hi,
This thread reminds me that with BoringSSL empty (and abort) handshake is not
set.
After tests BoringSSL seems to have simpler case.
I sent a patch to fix that.
For OpenSSL <= 1.0.2, revert is the thing to do.
For LibreSSL, include it with BoringSSL case could be ok (with my patch).
With tim
Hi,
This patch fix BoringSSL case.
++
Manu
0001-BUG-MINOR-ssl-empty-handshake-detection-for-BoringSS.patch
Description: Binary data
Hi,
no more leak after "BUG/MINOR: memory: Set objects size for pools in the
per-thread cache"
++
Manu
> Le 5 juin 2019 à 16:13, Emmanuel Hocdet a écrit :
>
>
>> Le 5 juin 2019 à 16:07, Emmanuel Hocdet > <mailto:m...@gandi.net>> a écrit :
>>
&g
> Le 5 juin 2019 à 16:07, Emmanuel Hocdet a écrit :
>
> Hi Frederic
>
>> Le 5 juin 2019 à 15:44, Frederic Lecaille > <mailto:flecai...@haproxy.com>> a écrit :
>>
>> On 6/5/19 3:06 PM, Emmanuel Hocdet wrote:
>>> Hi,
>>
>>
Hi Frederic
> Le 5 juin 2019 à 15:44, Frederic Lecaille a écrit :
>
> On 6/5/19 3:06 PM, Emmanuel Hocdet wrote:
>> Hi,
>
> Hi Emmanuel,
>
>> After switched to haproxy 1.9 with threads activated, i noticed a
>> significant memory leak.
>
> I
Hi,
After switched to haproxy 1.9 with threads activated, i noticed a significant
memory leak.
With threads disable (and bind process omitted) leak disappear.
This seems to be related to stick-table/peers with regard to the (simplified)
configuration.
++
Manu
ENV:
HA-Proxy version 1.9.8-1 2
Hi,
Simple cleanup to limit #defined inflation.
++
Manu
0001-CLEANUP-ssl-remove-unneeded-defined-OPENSSL_IS_BORIN.patch
Description: Binary data
Hi,
Updated patch serie:
Fix OpenSSL < 1.0.2 compatibilty.
More generic key for issuers ebtree.
++
Manu
0001-REORG-ssl-promote-cert_key_and_chain-handling.patch
Description: Binary data
0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch
Description: Binary data
0003-MINOR-ssl-add-extra-ch
> Le 5 avr. 2019 à 13:05, William Lallemand a écrit :
>
> On Fri, Apr 05, 2019 at 12:55:11PM +0200, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> To test deinit, i come across this:
>>
>> # /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x
Hi,
If you can consider this patch.
BoringSSL actually mimic OpenSSL 1.1.0 and have OPENSSL_VERSION_NUMBER set
accordly.
++
Manu
0001-MINOR-ssl-Activate-aes_gcm_dec-converter-for-BoringS.patch
Description: Binary data
> Le 9 avr. 2019 à 09:58, Aleksandar Lazic a écrit :
>
> Hi Manu.
>
> Am 05.04.2019 um 12:36 schrieb Emmanuel Hocdet:
>> Hi Aleks,
>>
>> Thanks you to have integrate BoringSSL!
>>
>>> Le 29 mars 2019 à 14:51, Aleksandar Lazic >> <
Hi,
To test deinit, i come across this:
# /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x
/run/haproxy_ssl.sock -sf 15716
log on 15716 process:
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test
Hi Aleks,
Thanks you to have integrate BoringSSL!
> Le 29 mars 2019 à 14:51, Aleksandar Lazic a écrit :
>
> Am 29.03.2019 um 14:25 schrieb Willy Tarreau:
>> Hi Aleks,
>>
>> On Fri, Mar 29, 2019 at 02:09:28PM +0100, Aleksandar Lazic wrote:
>>> With openssl are 2 tests failed but I'm not sure be
> Le 21 janv. 2019 à 19:31, Adam Langley a écrit :
>
> On Mon, Jan 21, 2019 at 10:16 AM Dirkjan Bussink wrote:
>> Ah ok, I recently added support in HAProxy to handle the new
>> SSL_CTX_set_ciphersuites option since OpenSSL handles setting TLS 1.3
>> ciphers separate from the regular ones. A
> Le 21 janv. 2019 à 19:07, Dirkjan Bussink a écrit :
>
> Hi Manu,
>
>> On 21 Jan 2019, at 09:49, Emmanuel Hocdet wrote:
>>
>> Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work.
>> As workaround, SSL_OP_NO_RENEGOTIATION c
Hi,
> Le 21 janv. 2019 à 17:06, Emeric Brun a écrit :
>
> Interesting, it would be good to skip the check using the same method.
>
> We must stay careful to not put the OP_NO_RENEG flag on the client part (when
> haproxy connects to server), because reneg from server is authorized
> but i thin
> Le 8 janv. 2019 à 15:02, William Lallemand a écrit :
>
> On Tue, Jan 08, 2019 at 02:03:22PM +0100, Tim Düsterhus wrote:
>> Emmanuel,
>>
>> Am 08.01.19 um 13:53 schrieb Emmanuel Hocdet:
>>> Without master/worker, haproxy reload work with an active waiting
Hi,
Without master/worker, haproxy reload work with an active waiting (haproxy
exec).
With master/worker, kill -USR2 return immediately: Is there a way to know when
the reload is finished?
++
Manu
Hi Emeric,
> Le 7 janv. 2019 à 18:11, Emeric Brun a écrit :
>
> Hi Manu,
>
> On 1/7/19 5:59 PM, Emmanuel Hocdet wrote:
>> It's better with patches…
>>
>>> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet >> <mailto:m...@gandi.net>> a écrit
It's better with patches…Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi,Following the first patch series (included).The goal is to deduplicate common certificates in memory and in shared pem files.PATCH 7/8 is only for boringssl (directive to dedup certificate in
2.1.2. (1))
If you want to test it, the patch series can be apply to haproxy-dev or
haproxy-1.9.
Feedbacks are welcome :)
++
Manu
> Le 12 déc. 2018 à 12:23, Emmanuel Hocdet a écrit :
>
>
> Hi,
>
> I tried to improve the haproxy loading time with a lot of certificates, and
Hi Julien,
> Le 12 déc. 2018 à 14:28, Julien Laffaye a écrit :
>
>
> On Wed, Dec 12, 2018 at 12:24 PM Emmanuel Hocdet <mailto:m...@gandi.net>> wrote:
>
> Hi,
>
> I tried to improve the haproxy loading time with a lot of certificates, and
> see a double f
Hi,
I tried to improve the haproxy loading time with a lot of certificates, and see
a double file
open for each certificate (one for private-key and one for the cert/chain).
Multi-cert loading part have not this issue and is good candidate for sharing
code:
patches is this work with factoring/c
Hi Aleks,
> Le 12 nov. 2018 à 18:02, Aleksandar Lazic a écrit :
>
> Hi Manu.
>
> Am 12.11.2018 um 16:19 schrieb Emmanuel Hocdet:
>>
>> Hi,
>>
>> The primary (major) step should be to deal with QUIC transport (over UDP).
>> At the same level as TC
Hi,
The primary (major) step should be to deal with QUIC transport (over UDP).
At the same level as TCP for haproxy?
Willy should already have a little idea on it ;-)
++
Manu
> Le 11 nov. 2018 à 20:38, Aleksandar Lazic a écrit :
>
> Hi.
>
> FYI.
>
> Oh no, that was quite fast after HTTP/2
Hi,
For generate-certificates, X509V3_EXT_conf is used but it's an (very) old API
call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok
because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5
years after X509V3_EXT_nconf.
(BoringSSL only have X509V3_EXT_nconf)
Christ
Hi Aleks,
> Le 25 sept. 2018 à 08:05, Aleksandar Lazic a écrit :
>
> Hi.
>
> Have anyone seen this?
>
> https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https
>
> It looks very interesting for higher privacy.
>
Yep.
Also
https://datatracker.ietf.org/meeting/102/materi
> Le 18 sept. 2018 à 11:54, Lukas Tribus a écrit :
>
> Hi Manu,
>
>
> On Fri, 14 Sep 2018 at 15:45, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> Quick test with 1.9-dev2, and i see latency (in seconds) to connect to
>> haproxy with SSL (tcp mode)
Hi Thierry,
> Le 15 sept. 2018 à 18:06, Thierry Fournier a écrit
> :
>
> Hi,
>
> I tried to use per-context options, in order to enable HTTP2 for a short
> list of SNI. I just add lines like this:
>
> /certif1.pem [alpn h2,http/1.1] my-h2-host.com
> /certif2.pem my-other-host.com
>
> Th
Hi,
Quick test with 1.9-dev2, and i see latency (in seconds) to connect to haproxy
with SSL (tcp mode).
It’s ok in master with 9f9b0c6a.
No time to investigate more for the moment.
++
Manu
> Le 14 sept. 2018 à 14:01, Dirkjan Bussink a écrit :
>
> Hi all,
>
>> On 14 Sep 2018, at 12:18, Emmanuel Hocdet wrote:
>>
>> Same deal with boringssl, TLSv <= 1.2 ciphers configuration and TLSv1.3
>> ciphers are segregated.
>>
Hi Emeric, Lukas, Dirkjan
> Le 14 sept. 2018 à 11:12, Emeric Brun a écrit :
>
> Hi Lukas, Dirkjan,
>
> On 09/13/2018 10:17 PM, Lukas Tribus wrote:
>> Hello Dirkjan,
>>
>>
>> On Thu, 13 Sep 2018 at 16:44, Dirkjan Bussink wrote:
>>> So with a new API call, does that mean adding for example a
Hi Lukas, Emeric
This patch fix the issue. If you can check it.
Thanks
Manu
0001-BUG-MEDIUM-ECC-cert-should-work-with-TLS-v1.2-and-op.patch
Description: Binary data
Hi Lukas,
> Le 2 sept. 2018 à 15:31, Lukas Tribus a écrit :
> On Sat, 1 Sep 2018 at 20:49, Lukas Tribus wrote:
>>> I've confirmed the change in behavior only happens with an ECC
>>> certificate, an RSA certificate is not affected.
>>
>> Just to confirm that this is still an actual problem with
Le 25 juil. 2018 à 10:34, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi WillyLe 24 juil. 2018 à 18:59, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:Hi Willy,This patch is necessary to build with current BoringSSL (SSL_SE
Hi Willy
> Le 24 juil. 2018 à 18:59, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:
>> Hi Willy,
>>
>> This patch is necessary to build with current BoringSSL (SSL_SESSION is now
>> opaque).
Hi Willy,
This patch is necessary to build with current BoringSSL (SSL_SESSION is now
opaque).
BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs.
The patch revert part of haproxy 019f9b10 (openssl-compat.h).
This will not break openssl/libressl compat.
Can you consider i
1 - 100 of 302 matches
Mail list logo