[PATCH] MINOR: ssl: add ssl-skip-self-issued-ca global option

and voila: 0001-MINOR-ssl-add-ssl-skip-self-issued-ca-global-option.patch Description: Binary data

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 21 avr. 2020 à 10:58, William Lallemand a écrit : > > On Fri, Apr 03, 2020 at 10:34:12AM +0200, Emmanuel Hocdet wrote: >> >>> Le 31 mars 2020 à 18:40, William Lallemand a écrit >>> : >>> >>> On Thu, Mar 26, 2020 at 06:29:48PM +0

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 31 mars 2020 à 18:40, William Lallemand a écrit : > > On Thu, Mar 26, 2020 at 06:29:48PM +0100, William Lallemand wrote: >> >> After some thinking and discussing with people involved in this part of >> HAProxy. I'm not feeling very confortable with setting this behavior by >> default, on

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 26 mars 2020 à 14:11, Илья Шипицин a écrit : > > > > чт, 26 мар. 2020 г. в 17:27, Emmanuel Hocdet <mailto:m...@gandi.net>>: > > > Le 26 mars 2020 à 13:02, Илья Шипицин > <mailto:chipits...@gmail.com>> a écrit : > > > &g

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 26 mars 2020 à 13:02, Илья Шипицин a écrit : > > RootCA is needed if you send cross certificate as well. > > It is very rare but legitimate case It’s only for self issued CA, it should be safe, right?

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

Hi, Patch rebase from master. > Le 6 mars 2020 à 17:06, Emmanuel Hocdet a écrit : > > Hi, > > > Patch proposal. > I will update the documentation if this feature is approved. > ++ Manu 0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch Description: Binary data

[PATCH] MINOR: ssl: rework add cert chain to CTX to be libssl independent

Hi,This patch remove #ifdef compatibility for add cert chain to CTX, goal is to simplify code.It’s an extract from "[PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx » proposal.++Manu 0001-MINOR-ssl-rework-add-cert-chain-to-CTX-to-be-libssl-.patch Description: Binary data

Re: [PATCH] CLEANUP: ssl: rename ssl_get_issuer_chain to ssl_get0_issuer_chain

> Le 23 mars 2020 à 15:12, William Lallemand a écrit : > > On Mon, Mar 23, 2020 at 02:50:03PM +0100, Emmanuel Hocdet wrote: >> >> As discussed in #559 >> > > Can't we return directly a STACK_OF(X509)* structure instead of the > struct issuer_chain *

[PATCH] CLEANUP: ssl: rename ssl_get_issuer_chain to ssl_get0_issuer_chain

As discussed in #559 0001-CLEANUP-ssl-rename-ssl_get_issuer_chain-to-ssl_get0_.patch Description: Binary data

Re: [PATCH] fix memory leak, issue 559

Hi, This issue was introduced by #516. find_chain must not be freed. patch attached. > Le 21 mars 2020 à 15:23, Илья Шипицин a écrit : > > Hello, > > I attached patch that fixes memory leak, described in #559 > ++ Manu 0001-BUG-MINOR-ssl-memory-leak-when-find_chain-is-NULL.patch

[PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

Hi, Patch proposal. I will update the documentation if this feature is approved. ++ Manu 0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch Description: Binary data

[PATCH] MINOR: ssl: add "ca-verify-file" directive

Hi, « ca-no-names-file » renamed to « ca-verify-file » ++ Manu 0001-MINOR-ssl-add-ca-verify-file-directive.patch Description: Binary data

[PATCH] MINOR: ssl: add "ca-no-names-file" directive

rebase from dev branch:(https://github.com/haproxy/haproxy/issues/404)++ManuLe 20 déc. 2019 à 17:00, Emmanuel Hocdet <m...@gandi.net> a écrit :patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to somet

Re: [PATCH 4/4] MINOR: ssl: "show ssl cert" command should print the "Chain filename:"

Hi,Le 18 févr. 2020 à 17:49, Emmanuel Hocdet <m...@gandi.net> a écrit :Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/, and resolve chain and ocsp_issuerwhen needed. « s

[PATCH 4/4] MINOR: ssl: "show ssl cert" command should print the "Chain filename:"

Hi,Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :I think we will probably need more information in the "show ssl cert"output in the future so the users can debug this kind of feature easily.Yes. Show the chain-filename would be very helpful.For that i think

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

> Le 18 févr. 2020 à 14:36, William Lallemand a écrit : > > On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote: >> >>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit : >>> >>>> Can you add a little bit of explanation on

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :Can you add a little bit of explanation on how the discovery of theissuer is done in the documentation?okdocumentation updated: 0001-MINOR-ssl-add-issuers-chain-path-directive.patch Description: Binary data

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

Hi William > Le 14 févr. 2020 à 15:59, William Lallemand a écrit : > > On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote: >> Hi, >> >> Is there any hope that this proposal will be considered before HAproxy 2.2? >> >> ++ >> Manu &g

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

Hi, Is there any hope that this proposal will be considered before HAproxy 2.2? ++ Manu > Le 31 janv. 2020 à 16:06, Emmanuel Hocdet a écrit : > > >> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet a écrit : > >> >> I will send a new patch for « issuers

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi William, > Le 27 janv. 2020 à 16:55, Emmanuel Hocdet a écrit : >> >> With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain >> bar.pem]’, >> deduplicate chain look like deduplicate ca-file. >> Find ocsp_issuer with this chain doesn’t w

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi William, > > With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain > bar.pem]’, > deduplicate chain look like deduplicate ca-file. > Find ocsp_issuer with this chain doesn’t work directly, but it seems doable. > For CLI, reload cert when chain is updated seem also

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

> Le 24 janv. 2020 à 16:38, William Lallemand a écrit : > > On Fri, Jan 24, 2020 at 01:22:05PM +0100, Emmanuel Hocdet wrote: >> >> Hi William, >> > Hello Manu! > >>> Le 23 janv. 2020 à 16:20, William Lallemand a >>> écrit : >>&

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi Tim, > Le 23 janv. 2020 à 17:21, Tim Düsterhus a écrit : > > Manu, > > Am 21.01.20 um 12:42 schrieb Emmanuel Hocdet: >> Patches updated, depend on "[PATCH] BUG/MINOR: ssl: >> ssl_sock_load_pem_into_ckch is not consistent" > > Out of curiosity: &g

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi William, > Le 23 janv. 2020 à 16:20, William Lallemand a écrit : > > On Tue, Jan 21, 2020 at 12:42:04PM +0100, Emmanuel Hocdet wrote: >> Hi, >> >> Patches updated, depend on "[PATCH] BUG/MINOR: ssl: >> ssl_sock_load_pem_into_ckch is not consistent&q

PATCH] BUG/MINOR: ssl: ocsp_issuer must be set in the right way

Following discussion from "[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent ». 0001-BUG-MINOR-ssl-ocsp_issuer-must-be-set-in-the-right-w.patch Description: Binary data

Re: [PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent

> Le 23 janv. 2020 à 11:19, William Lallemand a écrit : > > On Wed, Jan 22, 2020 at 05:22:51PM +0100, Emmanuel Hocdet wrote: >> >>> Le 22 janv. 2020 à 15:56, William Lallemand a >>> écrit : >>> >> Indeed, and the case of ckch->ocsp_issuer

Re: [PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent

> Le 22 janv. 2020 à 15:56, William Lallemand a écrit : > > On Mon, Jan 20, 2020 at 05:13:13PM +0100, Emmanuel Hocdet wrote: >> >> Hi, >> >> Proposal to fix the issue. >> > > The purpose at the beginning was to be able to keep a .dh / .ocsp et

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi,Patches updated, depend on "[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent"++ManuLe 10 avr. 2019 à 13:23, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi,Updated patch serie:Fix OpenSSL < 1.0.2 compatibilty.More generic key for issuers ebtree.++Manu

[PATCH] MINOR: ssl: accept 'verify' bind option with 'set ssl cert'

Hi, A last patch for today. ++ Manu 0001-MINOR-ssl-accept-verify-bind-option-with-set-ssl-cer.patch Description: Binary data

[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent

Hi, Proposal to fix the issue. ++ Manu 0001-BUG-MINOR-ssl-ssl_sock_load_pem_into_ckch-is-not-con.patch Description: Binary data

[PATCH] BUG/MINOR: ssl: fix 3 memory leaks with set ssl cert

Hi, Fix memory leaks with « set ssl cert ». ++ Manu 0001-BUG-MINOR-ssl-ssl_sock_load_ocsp_response_from_file-.patch Description: Binary data 0002-BUG-MINOR-ssl-ssl_sock_load_issuer_file_into_ckch-me.patch Description: Binary data

[PATCH] MINOR: ssl: add "ca-no-names-file" directive

patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to something like ca-end-file.Refer to https://github.com/haproxy/haproxy/issues/404 discussion.Le 19 déc. 2019 à 13:10, Emmanuel Hocdet <m...@gandi.net>

Re: [PATCH] MINOR: ssl: add "ca-root-file" directive

With this proposition, ca-root-file should be rename to something like ca-end-file. Refer to https://github.com/haproxy/haproxy/issues/404 <https://github.com/haproxy/haproxy/issues/404> discussion. > Le 19 déc. 2019 à 13:10, Emmanuel Hocdet a écrit : > > > Hi

[PATCH] MINOR: ssl: add "ca-root-file" directive

Hi, The purpose of this patch is to fix #404 and keep compatibility with actual "ca-file » directive for bind line. ++ Manu 0001-MINOR-ssl-add-ca-root-file-directive.patch Description: Binary data

[PATCH] BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1

Hi, address #394 ++ Manu 0001-BUG-MINOR-ssl-certificate-choice-can-be-unexpected-w.patch Description: Binary data

[PATCH] BUG/MINOR: ssl: fix X509 compatibility for openssl < 1.1.0

Hi, > Le 2 déc. 2019 à 08:12, William Lallemand a écrit : > > It seems to have break the build on centos 6, could you take a look at this > ticket? > > https://github.com/haproxy/haproxy/issues/385 > > Fix tested with openssl 1.0.1 ++ Manu

PATCH] BUG/MINOR: ssl: fix SSL_CTX_set1_chain compatibility for openssl < 1.0.2

Hi, A forgotten fix, comment updated. ++ Manu 0001-BUG-MINOR-ssl-fix-SSL_CTX_set1_chain-compatibility-f.patch Description: Binary data

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

Hi, > Le 27 nov. 2019 à 03:46, Willy Tarreau a écrit : > >> @@ -5046,7 +5046,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, >> struct ssl_bind_conf *ssl_ >> NULL); >> >> if (ecdhe == NULL) { >> +#if defined(SSL_CTX_set_ecdh_auto) >>

Re: [PATCH] MINOR: ssl: deduplicate ca-file

Hi William, > Le 22 nov. 2019 à 17:34, William Lallemand a écrit : > > Hi Manu, > > I have a few questions/remarks below: > >> Subject: [PATCH 1/3] MINOR: ssl: deduplicate ca-file >> [...] >> >> +static int ssl_store_load_locations_file(X509_STORE **store_ptr, char *path) >> +{ >> +

Re: [PATCH] MINOR: ssl: deduplicate ca-file

Fix bad merge from my branch, > Le 22 nov. 2019 à 11:35, Emmanuel Hocdet a écrit : > > > Patches update with compat lib-ssl and crl-file. > Deduplicate Verify-stuff in memory will prevent file access when updating a > certificate with CLI. 0001-MINOR-ssl-dedupli

Re: [PATCH] MINOR: ssl: deduplicate ca-file

Hi, > Le 29 oct. 2019 à 07:59, Willy Tarreau a écrit : > > Please, let's revisit this after the release. The only people able to > have a look at this and to have an opinion on it are all busy finishing > this release. > Patches update with compat lib-ssl and crl-file. Deduplicate

[PATCH] BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1

Hi, Very difficult to trigger the bug, except with spécific test configuration like: crt-list: cert.pem !www.dom.tld cert.pem *.dom.tld If you can consider the patch. Thank's Manu 0001-BUG-MINOR-ssl-fix-crt-list-neg-filter-for-openssl-1..patch Description: Binary data

[PATCH] BUG/MINOR: ssl: ssl_pkey_info_index ex_data can store a dereferenced pointer

Hi, If you can consider the patch (related to CLI cert update) Thank's Manu 0001-BUG-MINOR-ssl-ssl_pkey_info_index-ex_data-can-store-.patch Description: Binary data

Re: [PATCH] MINOR: ssl: deduplicate ca-file

Hi, add a second patch to address ca-list case. ++ Manu > Le 24 oct. 2019 à 12:14, Emmanuel Hocdet a écrit : > > Hi, > > Little patch with big win when ca-file is used in server line. > > ++ > Manu > > <0001-MINOR-ssl-deduplicate-ca-file.patch> > 0

[PATCH] MINOR: ssl: deduplicate ca-file

Hi, Little patch with big win when ca-file is used in server line. ++ Manu 0001-MINOR-ssl-deduplicate-ca-file.patch Description: Binary data

Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

> Le 27 sept. 2019 à 12:23, Geoff Simmons a écrit : > > On 9/26/19 19:27, Emmanuel Hocdet wrote: > >>> And I wonder if there are situations in which someone will want to >>> specifically choose one source of truth for authority over the other. >>>

Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

> Le 26 sept. 2019 à 18:10, Geoff Simmons a écrit : > > On 9/26/19 11:43, Emmanuel Hocdet wrote: >> >> Proposal reworking after playing with « authority » and look at how « src >> »/« dst » are working. >> >> Authority » can come from transpor

Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

Hi Tim, > Le 26 sept. 2019 à 15:11, Tim Düsterhus a écrit : > > Manu, > > Am 26.09.19 um 11:43 schrieb Emmanuel Hocdet: >> Included my patch for that proposal. (could be split with comments from this >> mail) > > Did you forgot to actually attach the patch

Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

Hi,Proposal reworking after playing with « authority » and look at how « src »/« dst » are working.Authority » can come from transport layer (TLS), ProxyV2 TLV or « set-authority ».« src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol and « set-{src,dst} »I propose to do the

[PATCH] BUG/MINOR: build: fix event ports (Solaris)

Hi, Please consider this patch. Thank’s Manu 0001-BUG-MINOR-build-fix-event-ports-Solaris.patch Description: Binary data

Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

patch update with bug fix > Le 10 sept. 2019 à 14:19, Emmanuel Hocdet a écrit : > > > Hi, > > Included, my first proposal for « set-authority » action, to set > custom "authority" sample fetch. > > Use case could be to use « sni authority » in

[PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

Hi, Included, my first proposal for « set-authority » action, to set custom "authority" sample fetch. Use case could be to use « sni authority » in server line. For "proxy-v2-options authority », authority is pick from custom authority (« set-authority »), ppv2 authority or ssl_fc_sni. Sample

Re: [PATCH] MINOR: send-proxy-v2: sends authority TLV according to TLV received

> Le 31 août 2019 à 12:29, Willy Tarreau a écrit : > > Hi Manu, > > On Thu, Aug 29, 2019 at 03:22:11PM +0200, Emmanuel Hocdet wrote: >> This patch follows Geoff's patch. > > Thanks for this. I didn't remember we automatically copied the SNI > into the PP. I'm s

[PATCH] MINOR: send-proxy-v2: sends authority TLV according to TLV received

Hi, This patch follows Geoff's patch. ++ Manu 0001-MINOR-send-proxy-v2-sends-authority-TLV-according-to.patch Description: Binary data

Re: [PATCH] MINOR: Add the fc_pp_authority fetch -- authority TLV from PROXYv2

Hi Geoff, For: > > @@ -630,6 +631,17 @@ int conn_recv_proxy(struct connection *conn, int flag) > conn->proxy_netns = ns; > break; > } > + > + case

Re: [RFC] setting the backend SNI from the client's authority TLV, when the target address was forwarded

> Le 22 août 2019 à 14:40, Willy Tarreau a écrit : > > On Thu, Aug 22, 2019 at 11:36:00AM +0200, Geoff Simmons wrote: > >> I suspect that there are other ways that the authority TLV can be useful >> for haproxy besides the specific Varnish case. Someone connecting via >> TLS, for example,

Re: [RFC] setting the backend SNI from the client's authority TLV, when the target address was forwarded

HI Geoff, Willy Great to see TLS onloader continue. > Le 22 août 2019 à 16:33, Geoff Simmons a écrit : > > On 8/22/19 14:40, Willy Tarreau wrote: >> >>> I would suggest naming it something like fc_authority or >>> fc_pp_authority, to be specific about where it came from. > > Since you

[PATCH] BUG/MINOR: ssl: fix 0-RTT for BoringSSL

Hi, Two patches to fix (and simplify) 0-RTT for BoringSSL. If you can consider them. ++ Manu 0001-BUG-MINOR-ssl-fix-0-RTT-for-BoringSSL.patch Description: Binary data 0002-MINOR-ssl-ssl_fc_has_early-should-work-for-BoringSSL.patch Description: Binary data

Re: Recent BoringSSL build breakage

Hi Willy,Le 1 août 2019 à 10:07, Willy Tarreau a écrit :Hi Manu,On Travis CI there was a fairly recent regression on BoringSSL whichhappened between 03e09f3 and a7a0f99 a day ago. It breaks on definitionof EVP_PKEY_base_id() in openssl-compat.h, which was not modified, andI guess

Re: [PATCH] BUG/MINOR: ssl: (no) empty handshake detection for BoringSSL

Hi, This patch is an update to follow the Lukas's one. Only BoringSSL case is addressed, because i test it for BoringSSL. It could be used by LibreSSL for "dontlognull" to work. ++ Manu 0001-BUG-MINOR-ssl-no-empty-handshake-detection-for-Borin.patch Description: Binary data

Re: [RFC PATCH] BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2

> Le 4 juil. 2019 à 18:55, Илья Шипицин a écrit : > > can you provide some comment around code ? > > I think almost nobody can read such code > > чт, 4 июл. 2019 г. в 21:17, Emmanuel Hocdet <mailto:m...@gandi.net>>: > Hi, > > This thread reminds

Re: [RFC PATCH] BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2

Hi, This thread reminds me that with BoringSSL empty (and abort) handshake is not set. After tests BoringSSL seems to have simpler case. I sent a patch to fix that. For OpenSSL <= 1.0.2, revert is the thing to do. For LibreSSL, include it with BoringSSL case could be ok (with my patch). With

[PATCH] BUG/MINOR: ssl: empty handshake detection for BoringSSL

Hi, This patch fix BoringSSL case. ++ Manu 0001-BUG-MINOR-ssl-empty-handshake-detection-for-BoringSS.patch Description: Binary data

Re: [BUG] memory leak with treads and stick-table/peers

Hi, no more leak after "BUG/MINOR: memory: Set objects size for pools in the per-thread cache" ++ Manu > Le 5 juin 2019 à 16:13, Emmanuel Hocdet a écrit : > > >> Le 5 juin 2019 à 16:07, Emmanuel Hocdet > <mailto:m...@gandi.net>> a écrit : >> &g

Re: [BUG] memory leak with treads and stick-table/peers

> Le 5 juin 2019 à 16:07, Emmanuel Hocdet a écrit : > > Hi Frederic > >> Le 5 juin 2019 à 15:44, Frederic Lecaille > <mailto:flecai...@haproxy.com>> a écrit : >> >> On 6/5/19 3:06 PM, Emmanuel Hocdet wrote: >>> Hi, >> >>

Re: [BUG] memory leak with treads and stick-table/peers

Hi Frederic > Le 5 juin 2019 à 15:44, Frederic Lecaille a écrit : > > On 6/5/19 3:06 PM, Emmanuel Hocdet wrote: >> Hi, > > Hi Emmanuel, > >> After switched to haproxy 1.9 with threads activated, i noticed a >> significant memory leak. > > I

[BUG] memory leak with treads and stick-table/peers

Hi, After switched to haproxy 1.9 with threads activated, i noticed a significant memory leak. With threads disable (and bind process omitted) leak disappear. This seems to be related to stick-table/peers with regard to the (simplified) configuration. ++ Manu ENV: HA-Proxy version 1.9.8-1

[PATCH] CLEANUP: ssl: remove unneeded defined(OPENSSL_IS_BORINGSSL)

Hi, Simple cleanup to limit #defined inflation. ++ Manu 0001-CLEANUP-ssl-remove-unneeded-defined-OPENSSL_IS_BORIN.patch Description: Binary data

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi, Updated patch serie: Fix OpenSSL < 1.0.2 compatibilty. More generic key for issuers ebtree. ++ Manu 0001-REORG-ssl-promote-cert_key_and_chain-handling.patch Description: Binary data 0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch Description: Binary data

Re: Abort on exit "libgcc_s.so.1 must be installed for pthread_cancel to work"

> Le 5 avr. 2019 à 13:05, William Lallemand a écrit : > > On Fri, Apr 05, 2019 at 12:55:11PM +0200, Emmanuel Hocdet wrote: >> >> Hi, >> >> To test deinit, i come across this: >> >> # /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x

[PATCH] MINOR: ssl: Activate aes_gcm_dec converter for BoringSSL

Hi, If you can consider this patch. BoringSSL actually mimic OpenSSL 1.1.0 and have OPENSSL_VERSION_NUMBER set accordly. ++ Manu 0001-MINOR-ssl-Activate-aes_gcm_dec-converter-for-BoringS.patch Description: Binary data

Re: [ANNOUNCE] haproxy-1.9.6

> Le 9 avr. 2019 à 09:58, Aleksandar Lazic a écrit : > > Hi Manu. > > Am 05.04.2019 um 12:36 schrieb Emmanuel Hocdet: >> Hi Aleks, >> >> Thanks you to have integrate BoringSSL! >> >>> Le 29 mars 2019 à 14:51, Aleksandar Lazic >> <

Abort on exit "libgcc_s.so.1 must be installed for pthread_cancel to work"

Hi, To test deinit, i come across this: # /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x /run/haproxy_ssl.sock -sf 15716 log on 15716 process: Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test

Re: [ANNOUNCE] haproxy-1.9.6

Hi Aleks, Thanks you to have integrate BoringSSL! > Le 29 mars 2019 à 14:51, Aleksandar Lazic a écrit : > > Am 29.03.2019 um 14:25 schrieb Willy Tarreau: >> Hi Aleks, >> >> On Fri, Mar 29, 2019 at 02:09:28PM +0100, Aleksandar Lazic wrote: >>> With openssl are 2 tests failed but I'm not sure

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

> Le 21 janv. 2019 à 19:31, Adam Langley a écrit : > > On Mon, Jan 21, 2019 at 10:16 AM Dirkjan Bussink wrote: >> Ah ok, I recently added support in HAProxy to handle the new >> SSL_CTX_set_ciphersuites option since OpenSSL handles setting TLS 1.3 >> ciphers separate from the regular ones.

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

> Le 21 janv. 2019 à 19:07, Dirkjan Bussink a écrit : > > Hi Manu, > >> On 21 Jan 2019, at 09:49, Emmanuel Hocdet wrote: >> >> Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work. >> As workaround, SSL_OP_NO_RENEGOTIATION c

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

Hi, > Le 21 janv. 2019 à 17:06, Emeric Brun a écrit : > > Interesting, it would be good to skip the check using the same method. > > We must stay careful to not put the OP_NO_RENEG flag on the client part (when > haproxy connects to server), because reneg from server is authorized > but i

Re: haproxy reload terminated with master/worker

> Le 8 janv. 2019 à 15:02, William Lallemand a écrit : > > On Tue, Jan 08, 2019 at 02:03:22PM +0100, Tim Düsterhus wrote: >> Emmanuel, >> >> Am 08.01.19 um 13:53 schrieb Emmanuel Hocdet: >>> Without master/worker, haproxy reload work with an active waiting

haproxy reload terminated with master/worker

Hi, Without master/worker, haproxy reload work with an active waiting (haproxy exec). With master/worker, kill -USR2 return immediately: Is there a way to know when the reload is finished? ++ Manu

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi Emeric, > Le 7 janv. 2019 à 18:11, Emeric Brun a écrit : > > Hi Manu, > > On 1/7/19 5:59 PM, Emmanuel Hocdet wrote: >> It's better with patches… >> >>> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet >> <mailto:m...@gandi.net>> a écrit : >

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

It's better with patches…Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi,Following the first patch series (included).The goal is to deduplicate common certificates in memory and in shared pem files.PATCH 7/8 is only for boringssl (directive to dedup certificate in

[PATCH] ssl certificates load speedup and dedup (pem/ctx)

4.2.1.2. (1)) If you want to test it, the patch series can be apply to haproxy-dev or haproxy-1.9. Feedbacks are welcome :) ++ Manu > Le 12 déc. 2018 à 12:23, Emmanuel Hocdet a écrit : > > > Hi, > > I tried to improve the haproxy loading time with a lot of certificates, and

Re: [PATCH] ssl: factoring load cert/key and chains

Hi Julien, > Le 12 déc. 2018 à 14:28, Julien Laffaye a écrit : > > > On Wed, Dec 12, 2018 at 12:24 PM Emmanuel Hocdet <mailto:m...@gandi.net>> wrote: > > Hi, > > I tried to improve the haproxy loading time with a lot of certificates, and > see a double f

[PATCH] ssl: factoring load cert/key and chains

Hi, I tried to improve the haproxy loading time with a lot of certificates, and see a double file open for each certificate (one for private-key and one for the cert/chain). Multi-cert loading part have not this issue and is good candidate for sharing code: patches is this work with

Re: HTTP/3 | daniel.haxx.se

Hi Aleks, > Le 12 nov. 2018 à 18:02, Aleksandar Lazic a écrit : > > Hi Manu. > > Am 12.11.2018 um 16:19 schrieb Emmanuel Hocdet: >> >> Hi, >> >> The primary (major) step should be to deal with QUIC transport (over UDP). >> At the same level as

Re: HTTP/3 | daniel.haxx.se

Hi, The primary (major) step should be to deal with QUIC transport (over UDP). At the same level as TCP for haproxy? Willy should already have a little idea on it ;-) ++ Manu > Le 11 nov. 2018 à 20:38, Aleksandar Lazic a écrit : > > Hi. > > FYI. > > Oh no, that was quite fast after HTTP/2

[PATCH] MINOR: generate-certificates for BoringSSL

Hi, For generate-certificates, X509V3_EXT_conf is used but it's an (very) old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf. (BoringSSL only have X509V3_EXT_nconf)

Re: New TLS proposal for SNI => ESNI

Hi Aleks, > Le 25 sept. 2018 à 08:05, Aleksandar Lazic a écrit : > > Hi. > > Have anyone seen this? > > https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https > > It looks very interesting for higher privacy. > Yep. Also

Re: [ANNOUNCE] haproxy-1.9-dev2

> Le 18 sept. 2018 à 11:54, Lukas Tribus a écrit : > > Hi Manu, > > > On Fri, 14 Sep 2018 at 15:45, Emmanuel Hocdet wrote: >> >> Hi, >> >> Quick test with 1.9-dev2, and i see latency (in seconds) to connect to >> haproxy with SSL (tcp mode)

Re: OpenSSL and per-context option problem

Hi Thierry, > Le 15 sept. 2018 à 18:06, Thierry Fournier a écrit > : > > Hi, > > I tried to use per-context options, in order to enable HTTP2 for a short > list of SNI. I just add lines like this: > > /certif1.pem [alpn h2,http/1.1] my-h2-host.com > /certif2.pem my-other-host.com > >

Re: [ANNOUNCE] haproxy-1.9-dev2

Hi, Quick test with 1.9-dev2, and i see latency (in seconds) to connect to haproxy with SSL (tcp mode). It’s ok in master with 9f9b0c6a. No time to investigate more for the moment. ++ Manu

Re: TLS 1.3 options available with OpenSSL 1.1.1

> Le 14 sept. 2018 à 14:01, Dirkjan Bussink a écrit : > > Hi all, > >> On 14 Sep 2018, at 12:18, Emmanuel Hocdet wrote: >> >> Same deal with boringssl, TLSv <= 1.2 ciphers configuration and TLSv1.3 >> ciphers are segregated. >>

Re: TLS 1.3 options available with OpenSSL 1.1.1

Hi Emeric, Lukas, Dirkjan > Le 14 sept. 2018 à 11:12, Emeric Brun a écrit : > > Hi Lukas, Dirkjan, > > On 09/13/2018 10:17 PM, Lukas Tribus wrote: >> Hello Dirkjan, >> >> >> On Thu, 13 Sep 2018 at 16:44, Dirkjan Bussink wrote: >>> So with a new API call, does that mean adding for example

[PATCH] BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1

Hi Lukas, Emeric This patch fix the issue. If you can check it. Thanks Manu 0001-BUG-MEDIUM-ECC-cert-should-work-with-TLS-v1.2-and-op.patch Description: Binary data

Re: BUG: ssl: regression with openssl 1.1.1 when using <= TLSv1.2

Hi Lukas, > Le 2 sept. 2018 à 15:31, Lukas Tribus a écrit : > On Sat, 1 Sep 2018 at 20:49, Lukas Tribus wrote: >>> I've confirmed the change in behavior only happens with an ECC >>> certificate, an RSA certificate is not affected. >> >> Just to confirm that this is still an actual problem

Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

Le 25 juil. 2018 à 10:34, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi WillyLe 24 juil. 2018 à 18:59, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:Hi Willy,This patch is necessary to build with current BoringSSL (SSL_SE

Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

Hi Willy > Le 24 juil. 2018 à 18:59, Willy Tarreau a écrit : > > Hi Manu, > > On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote: >> Hi Willy, >> >> This patch is necessary to build with current BoringSSL (SSL_SESSION is now >> opaque).

[PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

Hi Willy, This patch is necessary to build with current BoringSSL (SSL_SESSION is now opaque). BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs. The patch revert part of haproxy 019f9b10 (openssl-compat.h). This will not break openssl/libressl compat. Can you consider

Re: [PATCH] Re: Random crash (segfault, double free, ...) with a mix of SSL + cipherlist hash

> Le 18 juin 2018 à 15:54, Thierry Fournier a > écrit : > > I don’t known. In fact it works, so it is not a bug. But, when I use the > reservation for an ex_data slot, it returns the slot 0, and this slot is > used for the compatibility layer and can be crush some data. I conclude > that is a

Re: [PATCH] Re: Random crash (segfault, double free, ...) with a mix of SSL + cipherlist hash

> Le 18 juin 2018 à 15:30, Thierry Fournier a > écrit : > > > >> On 18 Jun 2018, at 14:37, Emmanuel Hocdet wrote: >> >>> >>> Le 18 juin 2018 à 10:43, Thierry Fournier a >>> écrit : >>> >>> >>>> On 1

  1   2   3   >