and voila:
0001-MINOR-ssl-add-ssl-skip-self-issued-ca-global-option.patch
Description: Binary data
> Le 21 avr. 2020 à 10:58, William Lallemand a écrit :
>
> On Fri, Apr 03, 2020 at 10:34:12AM +0200, Emmanuel Hocdet wrote:
>>
>>> Le 31 mars 2020 à 18:40, William Lallemand a écrit
>>> :
>>>
>>> On Thu, Mar 26, 2020 at 06:29:48PM +0
> Le 31 mars 2020 à 18:40, William Lallemand a écrit :
>
> On Thu, Mar 26, 2020 at 06:29:48PM +0100, William Lallemand wrote:
>>
>> After some thinking and discussing with people involved in this part of
>> HAProxy. I'm not feeling very confortable with setting this behavior by
>> default, on
> Le 26 mars 2020 à 14:11, Илья Шипицин a écrit :
>
>
>
> чт, 26 мар. 2020 г. в 17:27, Emmanuel Hocdet <mailto:m...@gandi.net>>:
>
> > Le 26 mars 2020 à 13:02, Илья Шипицин > <mailto:chipits...@gmail.com>> a écrit :
> >
> &g
> Le 26 mars 2020 à 13:02, Илья Шипицин a écrit :
>
> RootCA is needed if you send cross certificate as well.
>
> It is very rare but legitimate case
It’s only for self issued CA, it should be safe, right?
Hi,
Patch rebase from master.
> Le 6 mars 2020 à 17:06, Emmanuel Hocdet a écrit :
>
> Hi,
>
>
> Patch proposal.
> I will update the documentation if this feature is approved.
>
++
Manu
0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch
Description: Binary data
Hi,This patch remove #ifdef compatibility for add cert chain to CTX, goal is to simplify code.It’s an extract from "[PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx » proposal.++Manu
0001-MINOR-ssl-rework-add-cert-chain-to-CTX-to-be-libssl-.patch
Description: Binary data
> Le 23 mars 2020 à 15:12, William Lallemand a écrit :
>
> On Mon, Mar 23, 2020 at 02:50:03PM +0100, Emmanuel Hocdet wrote:
>>
>> As discussed in #559
>>
>
> Can't we return directly a STACK_OF(X509)* structure instead of the
> struct issuer_chain *
As discussed in #559
0001-CLEANUP-ssl-rename-ssl_get_issuer_chain-to-ssl_get0_.patch
Description: Binary data
Hi,
This issue was introduced by #516.
find_chain must not be freed.
patch attached.
> Le 21 mars 2020 à 15:23, Илья Шипицин a écrit :
>
> Hello,
>
> I attached patch that fixes memory leak, described in #559
>
++
Manu
0001-BUG-MINOR-ssl-memory-leak-when-find_chain-is-NULL.patch
Hi,
Patch proposal.
I will update the documentation if this feature is approved.
++
Manu
0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch
Description: Binary data
Hi,
« ca-no-names-file » renamed to « ca-verify-file »
++
Manu
0001-MINOR-ssl-add-ca-verify-file-directive.patch
Description: Binary data
rebase from dev branch:(https://github.com/haproxy/haproxy/issues/404)++ManuLe 20 déc. 2019 à 17:00, Emmanuel Hocdet <m...@gandi.net> a écrit :patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to somet
Hi,Le 18 févr. 2020 à 17:49, Emmanuel Hocdet <m...@gandi.net> a écrit :Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/, and resolve chain and ocsp_issuerwhen needed. « s
Hi,Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :I think we will probably need more information in the "show ssl cert"output in the future so the users can debug this kind of feature easily.Yes. Show the chain-filename would be very helpful.For that i think
> Le 18 févr. 2020 à 14:36, William Lallemand a écrit :
>
> On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote:
>>
>>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit :
>>>
>>>> Can you add a little bit of explanation on
Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :Can you add a little bit of explanation on how the discovery of theissuer is done in the documentation?okdocumentation updated:
0001-MINOR-ssl-add-issuers-chain-path-directive.patch
Description: Binary data
Hi William
> Le 14 févr. 2020 à 15:59, William Lallemand a écrit :
>
> On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote:
>> Hi,
>>
>> Is there any hope that this proposal will be considered before HAproxy 2.2?
>>
>> ++
>> Manu
&g
Hi,
Is there any hope that this proposal will be considered before HAproxy 2.2?
++
Manu
> Le 31 janv. 2020 à 16:06, Emmanuel Hocdet a écrit :
>
>
>> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet a écrit :
>
>>
>> I will send a new patch for « issuers
Hi William,
> Le 27 janv. 2020 à 16:55, Emmanuel Hocdet a écrit :
>>
>> With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain
>> bar.pem]’,
>> deduplicate chain look like deduplicate ca-file.
>> Find ocsp_issuer with this chain doesn’t w
Hi William,
>
> With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain
> bar.pem]’,
> deduplicate chain look like deduplicate ca-file.
> Find ocsp_issuer with this chain doesn’t work directly, but it seems doable.
> For CLI, reload cert when chain is updated seem also
> Le 24 janv. 2020 à 16:38, William Lallemand a écrit :
>
> On Fri, Jan 24, 2020 at 01:22:05PM +0100, Emmanuel Hocdet wrote:
>>
>> Hi William,
>>
> Hello Manu!
>
>>> Le 23 janv. 2020 à 16:20, William Lallemand a
>>> écrit :
>>&
Hi Tim,
> Le 23 janv. 2020 à 17:21, Tim Düsterhus a écrit :
>
> Manu,
>
> Am 21.01.20 um 12:42 schrieb Emmanuel Hocdet:
>> Patches updated, depend on "[PATCH] BUG/MINOR: ssl:
>> ssl_sock_load_pem_into_ckch is not consistent"
>
> Out of curiosity:
&g
Hi William,
> Le 23 janv. 2020 à 16:20, William Lallemand a écrit :
>
> On Tue, Jan 21, 2020 at 12:42:04PM +0100, Emmanuel Hocdet wrote:
>> Hi,
>>
>> Patches updated, depend on "[PATCH] BUG/MINOR: ssl:
>> ssl_sock_load_pem_into_ckch is not consistent&q
Following discussion from "[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch
is not consistent ».
0001-BUG-MINOR-ssl-ocsp_issuer-must-be-set-in-the-right-w.patch
Description: Binary data
> Le 23 janv. 2020 à 11:19, William Lallemand a écrit :
>
> On Wed, Jan 22, 2020 at 05:22:51PM +0100, Emmanuel Hocdet wrote:
>>
>>> Le 22 janv. 2020 à 15:56, William Lallemand a
>>> écrit :
>>>
>> Indeed, and the case of ckch->ocsp_issuer
> Le 22 janv. 2020 à 15:56, William Lallemand a écrit :
>
> On Mon, Jan 20, 2020 at 05:13:13PM +0100, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> Proposal to fix the issue.
>>
>
> The purpose at the beginning was to be able to keep a .dh / .ocsp et
Hi,Patches updated, depend on "[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent"++ManuLe 10 avr. 2019 à 13:23, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi,Updated patch serie:Fix OpenSSL < 1.0.2 compatibilty.More generic key for issuers ebtree.++Manu
Hi,
A last patch for today.
++
Manu
0001-MINOR-ssl-accept-verify-bind-option-with-set-ssl-cer.patch
Description: Binary data
Hi,
Proposal to fix the issue.
++
Manu
0001-BUG-MINOR-ssl-ssl_sock_load_pem_into_ckch-is-not-con.patch
Description: Binary data
Hi,
Fix memory leaks with « set ssl cert ».
++
Manu
0001-BUG-MINOR-ssl-ssl_sock_load_ocsp_response_from_file-.patch
Description: Binary data
0002-BUG-MINOR-ssl-ssl_sock_load_issuer_file_into_ckch-me.patch
Description: Binary data
patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to something like ca-end-file.Refer to https://github.com/haproxy/haproxy/issues/404 discussion.Le 19 déc. 2019 à 13:10, Emmanuel Hocdet <m...@gandi.net>
With this proposition, ca-root-file should be rename to something like
ca-end-file.
Refer to https://github.com/haproxy/haproxy/issues/404
<https://github.com/haproxy/haproxy/issues/404> discussion.
> Le 19 déc. 2019 à 13:10, Emmanuel Hocdet a écrit :
>
>
> Hi
Hi,
The purpose of this patch is to fix #404 and keep compatibility with actual
"ca-file » directive for bind line.
++
Manu
0001-MINOR-ssl-add-ca-root-file-directive.patch
Description: Binary data
Hi,
address #394
++
Manu
0001-BUG-MINOR-ssl-certificate-choice-can-be-unexpected-w.patch
Description: Binary data
Hi,
> Le 2 déc. 2019 à 08:12, William Lallemand a écrit :
>
> It seems to have break the build on centos 6, could you take a look at this
> ticket?
>
> https://github.com/haproxy/haproxy/issues/385
>
>
Fix tested with openssl 1.0.1
++
Manu
Hi,
A forgotten fix, comment updated.
++
Manu
0001-BUG-MINOR-ssl-fix-SSL_CTX_set1_chain-compatibility-f.patch
Description: Binary data
Hi,
> Le 27 nov. 2019 à 03:46, Willy Tarreau a écrit :
>
>> @@ -5046,7 +5046,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
>> struct ssl_bind_conf *ssl_
>> NULL);
>>
>> if (ecdhe == NULL) {
>> +#if defined(SSL_CTX_set_ecdh_auto)
>>
Hi William,
> Le 22 nov. 2019 à 17:34, William Lallemand a écrit :
>
> Hi Manu,
>
> I have a few questions/remarks below:
>
>> Subject: [PATCH 1/3] MINOR: ssl: deduplicate ca-file
>> [...]
>>
>> +static int ssl_store_load_locations_file(X509_STORE **store_ptr, char *path)
>> +{
>> +
Fix bad merge from my branch,
> Le 22 nov. 2019 à 11:35, Emmanuel Hocdet a écrit :
>
>
> Patches update with compat lib-ssl and crl-file.
> Deduplicate Verify-stuff in memory will prevent file access when updating a
> certificate with CLI.
0001-MINOR-ssl-dedupli
Hi,
> Le 29 oct. 2019 à 07:59, Willy Tarreau a écrit :
>
> Please, let's revisit this after the release. The only people able to
> have a look at this and to have an opinion on it are all busy finishing
> this release.
>
Patches update with compat lib-ssl and crl-file.
Deduplicate
Hi,
Very difficult to trigger the bug, except with spécific test configuration like:
crt-list:
cert.pem !www.dom.tld
cert.pem *.dom.tld
If you can consider the patch.
Thank's
Manu
0001-BUG-MINOR-ssl-fix-crt-list-neg-filter-for-openssl-1..patch
Description: Binary data
Hi,
If you can consider the patch (related to CLI cert update)
Thank's
Manu
0001-BUG-MINOR-ssl-ssl_pkey_info_index-ex_data-can-store-.patch
Description: Binary data
Hi,
add a second patch to address ca-list case.
++
Manu
> Le 24 oct. 2019 à 12:14, Emmanuel Hocdet a écrit :
>
> Hi,
>
> Little patch with big win when ca-file is used in server line.
>
> ++
> Manu
>
> <0001-MINOR-ssl-deduplicate-ca-file.patch>
>
0
Hi,
Little patch with big win when ca-file is used in server line.
++
Manu
0001-MINOR-ssl-deduplicate-ca-file.patch
Description: Binary data
> Le 27 sept. 2019 à 12:23, Geoff Simmons a écrit :
>
> On 9/26/19 19:27, Emmanuel Hocdet wrote:
>
>>> And I wonder if there are situations in which someone will want to
>>> specifically choose one source of truth for authority over the other.
>>>
> Le 26 sept. 2019 à 18:10, Geoff Simmons a écrit :
>
> On 9/26/19 11:43, Emmanuel Hocdet wrote:
>>
>> Proposal reworking after playing with « authority » and look at how « src
>> »/« dst » are working.
>>
>> Authority » can come from transpor
Hi Tim,
> Le 26 sept. 2019 à 15:11, Tim Düsterhus a écrit :
>
> Manu,
>
> Am 26.09.19 um 11:43 schrieb Emmanuel Hocdet:
>> Included my patch for that proposal. (could be split with comments from this
>> mail)
>
> Did you forgot to actually attach the patch
Hi,Proposal reworking after playing with « authority » and look at how « src »/« dst » are working.Authority » can come from transport layer (TLS), ProxyV2 TLV or « set-authority ».« src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol and « set-{src,dst} »I propose to do the
Hi,
Please consider this patch.
Thank’s
Manu
0001-BUG-MINOR-build-fix-event-ports-Solaris.patch
Description: Binary data
patch update with bug fix
> Le 10 sept. 2019 à 14:19, Emmanuel Hocdet a écrit :
>
>
> Hi,
>
> Included, my first proposal for « set-authority » action, to set
> custom "authority" sample fetch.
>
> Use case could be to use « sni authority » in
Hi,
Included, my first proposal for « set-authority » action, to set
custom "authority" sample fetch.
Use case could be to use « sni authority » in server line.
For "proxy-v2-options authority », authority is pick from custom
authority (« set-authority »), ppv2 authority or ssl_fc_sni.
Sample
> Le 31 août 2019 à 12:29, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Thu, Aug 29, 2019 at 03:22:11PM +0200, Emmanuel Hocdet wrote:
>> This patch follows Geoff's patch.
>
> Thanks for this. I didn't remember we automatically copied the SNI
> into the PP. I'm s
Hi,
This patch follows Geoff's patch.
++
Manu
0001-MINOR-send-proxy-v2-sends-authority-TLV-according-to.patch
Description: Binary data
Hi Geoff,
For:
>
> @@ -630,6 +631,17 @@ int conn_recv_proxy(struct connection *conn, int flag)
> conn->proxy_netns = ns;
> break;
> }
> +
> + case
> Le 22 août 2019 à 14:40, Willy Tarreau a écrit :
>
> On Thu, Aug 22, 2019 at 11:36:00AM +0200, Geoff Simmons wrote:
>
>> I suspect that there are other ways that the authority TLV can be useful
>> for haproxy besides the specific Varnish case. Someone connecting via
>> TLS, for example,
HI Geoff, Willy
Great to see TLS onloader continue.
> Le 22 août 2019 à 16:33, Geoff Simmons a écrit :
>
> On 8/22/19 14:40, Willy Tarreau wrote:
>>
>>> I would suggest naming it something like fc_authority or
>>> fc_pp_authority, to be specific about where it came from.
>
> Since you
Hi,
Two patches to fix (and simplify) 0-RTT for BoringSSL.
If you can consider them.
++
Manu
0001-BUG-MINOR-ssl-fix-0-RTT-for-BoringSSL.patch
Description: Binary data
0002-MINOR-ssl-ssl_fc_has_early-should-work-for-BoringSSL.patch
Description: Binary data
Hi Willy,Le 1 août 2019 à 10:07, Willy Tarreau a écrit :Hi Manu,On Travis CI there was a fairly recent regression on BoringSSL whichhappened between 03e09f3 and a7a0f99 a day ago. It breaks on definitionof EVP_PKEY_base_id() in openssl-compat.h, which was not modified, andI guess
Hi,
This patch is an update to follow the Lukas's one.
Only BoringSSL case is addressed, because i test it for BoringSSL.
It could be used by LibreSSL for "dontlognull" to work.
++
Manu
0001-BUG-MINOR-ssl-no-empty-handshake-detection-for-Borin.patch
Description: Binary data
> Le 4 juil. 2019 à 18:55, Илья Шипицин a écrit :
>
> can you provide some comment around code ?
>
> I think almost nobody can read such code
>
> чт, 4 июл. 2019 г. в 21:17, Emmanuel Hocdet <mailto:m...@gandi.net>>:
> Hi,
>
> This thread reminds
Hi,
This thread reminds me that with BoringSSL empty (and abort) handshake is not
set.
After tests BoringSSL seems to have simpler case.
I sent a patch to fix that.
For OpenSSL <= 1.0.2, revert is the thing to do.
For LibreSSL, include it with BoringSSL case could be ok (with my patch).
With
Hi,
This patch fix BoringSSL case.
++
Manu
0001-BUG-MINOR-ssl-empty-handshake-detection-for-BoringSS.patch
Description: Binary data
Hi,
no more leak after "BUG/MINOR: memory: Set objects size for pools in the
per-thread cache"
++
Manu
> Le 5 juin 2019 à 16:13, Emmanuel Hocdet a écrit :
>
>
>> Le 5 juin 2019 à 16:07, Emmanuel Hocdet > <mailto:m...@gandi.net>> a écrit :
>>
&g
> Le 5 juin 2019 à 16:07, Emmanuel Hocdet a écrit :
>
> Hi Frederic
>
>> Le 5 juin 2019 à 15:44, Frederic Lecaille > <mailto:flecai...@haproxy.com>> a écrit :
>>
>> On 6/5/19 3:06 PM, Emmanuel Hocdet wrote:
>>> Hi,
>>
>>
Hi Frederic
> Le 5 juin 2019 à 15:44, Frederic Lecaille a écrit :
>
> On 6/5/19 3:06 PM, Emmanuel Hocdet wrote:
>> Hi,
>
> Hi Emmanuel,
>
>> After switched to haproxy 1.9 with threads activated, i noticed a
>> significant memory leak.
>
> I
Hi,
After switched to haproxy 1.9 with threads activated, i noticed a significant
memory leak.
With threads disable (and bind process omitted) leak disappear.
This seems to be related to stick-table/peers with regard to the (simplified)
configuration.
++
Manu
ENV:
HA-Proxy version 1.9.8-1
Hi,
Simple cleanup to limit #defined inflation.
++
Manu
0001-CLEANUP-ssl-remove-unneeded-defined-OPENSSL_IS_BORIN.patch
Description: Binary data
Hi,
Updated patch serie:
Fix OpenSSL < 1.0.2 compatibilty.
More generic key for issuers ebtree.
++
Manu
0001-REORG-ssl-promote-cert_key_and_chain-handling.patch
Description: Binary data
0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch
Description: Binary data
> Le 5 avr. 2019 à 13:05, William Lallemand a écrit :
>
> On Fri, Apr 05, 2019 at 12:55:11PM +0200, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> To test deinit, i come across this:
>>
>> # /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x
Hi,
If you can consider this patch.
BoringSSL actually mimic OpenSSL 1.1.0 and have OPENSSL_VERSION_NUMBER set
accordly.
++
Manu
0001-MINOR-ssl-Activate-aes_gcm_dec-converter-for-BoringS.patch
Description: Binary data
> Le 9 avr. 2019 à 09:58, Aleksandar Lazic a écrit :
>
> Hi Manu.
>
> Am 05.04.2019 um 12:36 schrieb Emmanuel Hocdet:
>> Hi Aleks,
>>
>> Thanks you to have integrate BoringSSL!
>>
>>> Le 29 mars 2019 à 14:51, Aleksandar Lazic >> <
Hi,
To test deinit, i come across this:
# /srv/sources/haproxy/haproxy -f /etc/haproxy/ssl.cfg -d -x
/run/haproxy_ssl.sock -sf 15716
log on 15716 process:
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test
Hi Aleks,
Thanks you to have integrate BoringSSL!
> Le 29 mars 2019 à 14:51, Aleksandar Lazic a écrit :
>
> Am 29.03.2019 um 14:25 schrieb Willy Tarreau:
>> Hi Aleks,
>>
>> On Fri, Mar 29, 2019 at 02:09:28PM +0100, Aleksandar Lazic wrote:
>>> With openssl are 2 tests failed but I'm not sure
> Le 21 janv. 2019 à 19:31, Adam Langley a écrit :
>
> On Mon, Jan 21, 2019 at 10:16 AM Dirkjan Bussink wrote:
>> Ah ok, I recently added support in HAProxy to handle the new
>> SSL_CTX_set_ciphersuites option since OpenSSL handles setting TLS 1.3
>> ciphers separate from the regular ones.
> Le 21 janv. 2019 à 19:07, Dirkjan Bussink a écrit :
>
> Hi Manu,
>
>> On 21 Jan 2019, at 09:49, Emmanuel Hocdet wrote:
>>
>> Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work.
>> As workaround, SSL_OP_NO_RENEGOTIATION c
Hi,
> Le 21 janv. 2019 à 17:06, Emeric Brun a écrit :
>
> Interesting, it would be good to skip the check using the same method.
>
> We must stay careful to not put the OP_NO_RENEG flag on the client part (when
> haproxy connects to server), because reneg from server is authorized
> but i
> Le 8 janv. 2019 à 15:02, William Lallemand a écrit :
>
> On Tue, Jan 08, 2019 at 02:03:22PM +0100, Tim Düsterhus wrote:
>> Emmanuel,
>>
>> Am 08.01.19 um 13:53 schrieb Emmanuel Hocdet:
>>> Without master/worker, haproxy reload work with an active waiting
Hi,
Without master/worker, haproxy reload work with an active waiting (haproxy
exec).
With master/worker, kill -USR2 return immediately: Is there a way to know when
the reload is finished?
++
Manu
Hi Emeric,
> Le 7 janv. 2019 à 18:11, Emeric Brun a écrit :
>
> Hi Manu,
>
> On 1/7/19 5:59 PM, Emmanuel Hocdet wrote:
>> It's better with patches…
>>
>>> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet >> <mailto:m...@gandi.net>> a écrit :
>
It's better with patches…Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi,Following the first patch series (included).The goal is to deduplicate common certificates in memory and in shared pem files.PATCH 7/8 is only for boringssl (directive to dedup certificate in
4.2.1.2. (1))
If you want to test it, the patch series can be apply to haproxy-dev or
haproxy-1.9.
Feedbacks are welcome :)
++
Manu
> Le 12 déc. 2018 à 12:23, Emmanuel Hocdet a écrit :
>
>
> Hi,
>
> I tried to improve the haproxy loading time with a lot of certificates, and
Hi Julien,
> Le 12 déc. 2018 à 14:28, Julien Laffaye a écrit :
>
>
> On Wed, Dec 12, 2018 at 12:24 PM Emmanuel Hocdet <mailto:m...@gandi.net>> wrote:
>
> Hi,
>
> I tried to improve the haproxy loading time with a lot of certificates, and
> see a double f
Hi,
I tried to improve the haproxy loading time with a lot of certificates, and see
a double file
open for each certificate (one for private-key and one for the cert/chain).
Multi-cert loading part have not this issue and is good candidate for sharing
code:
patches is this work with
Hi Aleks,
> Le 12 nov. 2018 à 18:02, Aleksandar Lazic a écrit :
>
> Hi Manu.
>
> Am 12.11.2018 um 16:19 schrieb Emmanuel Hocdet:
>>
>> Hi,
>>
>> The primary (major) step should be to deal with QUIC transport (over UDP).
>> At the same level as
Hi,
The primary (major) step should be to deal with QUIC transport (over UDP).
At the same level as TCP for haproxy?
Willy should already have a little idea on it ;-)
++
Manu
> Le 11 nov. 2018 à 20:38, Aleksandar Lazic a écrit :
>
> Hi.
>
> FYI.
>
> Oh no, that was quite fast after HTTP/2
Hi,
For generate-certificates, X509V3_EXT_conf is used but it's an (very) old API
call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok
because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5
years after X509V3_EXT_nconf.
(BoringSSL only have X509V3_EXT_nconf)
Hi Aleks,
> Le 25 sept. 2018 à 08:05, Aleksandar Lazic a écrit :
>
> Hi.
>
> Have anyone seen this?
>
> https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https
>
> It looks very interesting for higher privacy.
>
Yep.
Also
> Le 18 sept. 2018 à 11:54, Lukas Tribus a écrit :
>
> Hi Manu,
>
>
> On Fri, 14 Sep 2018 at 15:45, Emmanuel Hocdet wrote:
>>
>> Hi,
>>
>> Quick test with 1.9-dev2, and i see latency (in seconds) to connect to
>> haproxy with SSL (tcp mode)
Hi Thierry,
> Le 15 sept. 2018 à 18:06, Thierry Fournier a écrit
> :
>
> Hi,
>
> I tried to use per-context options, in order to enable HTTP2 for a short
> list of SNI. I just add lines like this:
>
> /certif1.pem [alpn h2,http/1.1] my-h2-host.com
> /certif2.pem my-other-host.com
>
>
Hi,
Quick test with 1.9-dev2, and i see latency (in seconds) to connect to haproxy
with SSL (tcp mode).
It’s ok in master with 9f9b0c6a.
No time to investigate more for the moment.
++
Manu
> Le 14 sept. 2018 à 14:01, Dirkjan Bussink a écrit :
>
> Hi all,
>
>> On 14 Sep 2018, at 12:18, Emmanuel Hocdet wrote:
>>
>> Same deal with boringssl, TLSv <= 1.2 ciphers configuration and TLSv1.3
>> ciphers are segregated.
>>
Hi Emeric, Lukas, Dirkjan
> Le 14 sept. 2018 à 11:12, Emeric Brun a écrit :
>
> Hi Lukas, Dirkjan,
>
> On 09/13/2018 10:17 PM, Lukas Tribus wrote:
>> Hello Dirkjan,
>>
>>
>> On Thu, 13 Sep 2018 at 16:44, Dirkjan Bussink wrote:
>>> So with a new API call, does that mean adding for example
Hi Lukas, Emeric
This patch fix the issue. If you can check it.
Thanks
Manu
0001-BUG-MEDIUM-ECC-cert-should-work-with-TLS-v1.2-and-op.patch
Description: Binary data
Hi Lukas,
> Le 2 sept. 2018 à 15:31, Lukas Tribus a écrit :
> On Sat, 1 Sep 2018 at 20:49, Lukas Tribus wrote:
>>> I've confirmed the change in behavior only happens with an ECC
>>> certificate, an RSA certificate is not affected.
>>
>> Just to confirm that this is still an actual problem
Le 25 juil. 2018 à 10:34, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi WillyLe 24 juil. 2018 à 18:59, Willy Tarreau <w...@1wt.eu> a écrit :Hi Manu,On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:Hi Willy,This patch is necessary to build with current BoringSSL (SSL_SE
Hi Willy
> Le 24 juil. 2018 à 18:59, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:
>> Hi Willy,
>>
>> This patch is necessary to build with current BoringSSL (SSL_SESSION is now
>> opaque).
Hi Willy,
This patch is necessary to build with current BoringSSL (SSL_SESSION is now
opaque).
BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs.
The patch revert part of haproxy 019f9b10 (openssl-compat.h).
This will not break openssl/libressl compat.
Can you consider
> Le 18 juin 2018 à 15:54, Thierry Fournier a
> écrit :
>
> I don’t known. In fact it works, so it is not a bug. But, when I use the
> reservation for an ex_data slot, it returns the slot 0, and this slot is
> used for the compatibility layer and can be crush some data. I conclude
> that is a
> Le 18 juin 2018 à 15:30, Thierry Fournier a
> écrit :
>
>
>
>> On 18 Jun 2018, at 14:37, Emmanuel Hocdet wrote:
>>
>>>
>>> Le 18 juin 2018 à 10:43, Thierry Fournier a
>>> écrit :
>>>
>>>
>>>> On 1
1 - 100 of 297 matches
Mail list logo