Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-23 Thread Janusz Dziemidowicz
śr., 23 sty 2019 o 11:53 Janusz Dziemidowicz napisał(a): > 1.14.2 is current version in Debian testing. Debian seems reluctant to > use "mainline" nginx versions (1.15.x) so 1.14.x might end in Debian > 10. I'll try to file Debian bug report later today. https://bugs

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-23 Thread Janusz Dziemidowicz
n Debian testing. Debian seems reluctant to use "mainline" nginx versions (1.15.x) so 1.14.x might end in Debian 10. I'll try to file Debian bug report later today. -- Janusz Dziemidowicz

Re: haproxy 1.9.2 with boringssl

2019-01-22 Thread Janusz Dziemidowicz
penssl s_client -connect HOST:PORT (openssl >= 1.1.1) Just type 'K' and press enter. If the server is broken then connection will be aborted. www.github.com:443, currently broken: read R BLOCK K KEYUPDATE read R BLOCK read:errno=0 mail.google.com:443, working: read R BLOCK K KEYUPDATE -- Janusz Dziemidowicz

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Janusz Dziemidowicz
o don't support TLS 1.3 And just for reference, I've found Chrome bug with this problem (as I am interested when this will get enabled to keep all my systems updated) https://bugs.chromium.org/p/chromium/issues/detail?id=923685 -- Janusz Dziemidowicz

Re: State of 0-RTT TLS resumption with OpenSSL

2019-01-08 Thread Janusz Dziemidowicz
which might warrant some updates to documentation about allow-0rtt option? -- Janusz Dziemidowicz

Re: State of 0-RTT TLS resumption with OpenSSL

2019-01-04 Thread Janusz Dziemidowicz
pled with early data this is exactly something that TLS 1.3 RFC warns against. This probably is due to haproxy using external session management. I'll try to dig more into this on weekend, now that I know where to look. -- Janusz Dziemidowicz

Re: State of 0-RTT TLS resumption with OpenSSL

2019-01-03 Thread Janusz Dziemidowicz
aproxy with TLS session handling. -- Janusz Dziemidowicz

State of 0-RTT TLS resumption with OpenSSL

2018-12-30 Thread Janusz Dziemidowicz
must call SSL_set_max_early_data with the amount of bytes it is willing to read. The above simply does... nothing. Is it supposed to work at all or do I miss something? ;) -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-08-02 Thread Janusz Dziemidowicz
n. Sorry for being late, but 1.8.13 fixes the CLOSE_WAIT problem for me too :) Now I have to dig into protocol errors I get when enabling h2, but this will probably happen next week. I will create a new thread for this. -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-07-20 Thread Janusz Dziemidowicz
tting in CLOSE_WAIT for over 30 minutes). Since I'm also affected by SPDY_PROTOCOL_ERROR I mentioned earlier I must disable h2 now. -- Janusz Dziemidowicz

Re: SSL: double free on reload

2018-07-16 Thread Janusz Dziemidowicz
is another free that I failed to detect. > > Are you able to trigger this on a trivial config ? Maybe it only happens > when certain features you have in your config are enabled ? I've reported this some time ago :) https://www.mail-archive.com/haproxy@formilux.org/msg30093.html -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-06-15 Thread Janusz Dziemidowicz
error_code = "5 (STREAM_CLOSED)" --> stream_id = 129 However I'm pretty sure I was doing exactly the same yesterday and had no such problem. Anyway, I'm reverting back to clean 1.8.9 and h2 handled by nghttpx. I'd prefer not to do any more tests before Monday ;) -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-06-15 Thread Janusz Dziemidowicz
2018-06-14 19:49 GMT+02:00 Willy Tarreau : > On Thu, Jun 14, 2018 at 07:22:34PM +0200, Janusz Dziemidowicz wrote: >> 2018-06-14 18:56 GMT+02:00 Willy Tarreau : >> >> > If you'd like to run a test, I'm attaching the patch. >> >> Sure, but you forgot to attach it

Re: Connections stuck in CLOSE_WAIT state with h2

2018-06-14 Thread Janusz Dziemidowicz
2018-06-14 18:56 GMT+02:00 Willy Tarreau : > If you'd like to run a test, I'm attaching the patch. Sure, but you forgot to attach it :) -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-06-14 Thread Janusz Dziemidowicz
:443 MY_IP:54514 CLOSE_WAIT 538049/haproxy haproxy logs (I have dontlognormal enabled): https://pastebin.com/sUsa6jNQ -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-06-14 Thread Janusz Dziemidowicz
,UP,200,2,0,,0,15377,0,,1,4,0,,373309,,1,14,,3320,368563,1101,0,1873,12008383545,27962,0,0,0,0,0,0,,,0,18,5,1763433,,http,roundrobin,,, -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-06-13 Thread Janusz Dziemidowicz
2018-06-13 19:14 GMT+02:00 Willy Tarreau : > On Wed, Jun 13, 2018 at 07:06:58PM +0200, Janusz Dziemidowicz wrote: >> 2018-06-13 14:42 GMT+02:00 Willy Tarreau : >> > Hi Milan, hi Janusz, >> > >> > thanks to your respective traces, I may have come up with

Re: Connections stuck in CLOSE_WAIT state with h2

2018-06-13 Thread Janusz Dziemidowicz
SE_WAIT sockets still accumulate if I switch native h2 on. Milan should probably double check this though. https://pasteboard.co/HpJj72H.png I'll try move some low traffic site to a separate instance tomorrow, maybe I'll be able to capture some traffic too. -- Janusz Dziemidowicz

Re: Connections stuck in CLOSE_WAIT state with h2

2018-05-24 Thread Janusz Dziemidowicz
stats, etc.), but I've been stripping it down and down and what I've attached is still producing this issue for me. Anyway, I'll do another round of experiments (without tfo) tomorrow. -- Janusz Dziemidowicz

Connections stuck in CLOSE_WAIT state with h2

2018-05-24 Thread Janusz Dziemidowicz
ansparent ssl alpn h2,http/1.1 curves X25519:P-256 tls-ticket-keys FILE crt FILE http-request set-header X-Forwarded-For %ci unless LOCALHOST http-request set-header X-Forwarded-Proto https unless { dst_port 80 } http-request set-header X-Forwarded-Proto http if { dst_port 80 } default_backend php -- Janusz Dziemidowicz

Process crash on reload with TLS tickets

2018-05-23 Thread Janusz Dziemidowicz
OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace -- Janusz Dziemidowicz

Re: [PATCH] Clear OpenSSL error stack after trying to parse OCSP file

2017-03-10 Thread Janusz Dziemidowicz
ings for me). Maybe I'll find some time to look into this later. Regardless, this patch is rather safe and should probably be applied anyway, if there are no concerns about it (and probably backported to 1.7). -- Janusz Dziemidowicz

[PATCH] Clear OpenSSL error stack after trying to parse OCSP file

2017-03-08 Thread Janusz Dziemidowicz
Invalid OCSP file (for example empty one that can be used to enable OCSP response to be set dynamically later) causes errors that are placed on OpenSSL error stack. Those errors are not cleared so anything that checks this stack later will fail. Following configuration: bind :443 ssl crt

Re: SCT TLS extensions with 2 certificates

2017-01-09 Thread Janusz Dziemidowicz
//github.com/grahamedgecombe/nginx-ct/issues/13 And OpenSSL bug report: https://github.com/openssl/openssl/issues/2180 -- Janusz Dziemidowicz

Re: Problem with http-request set-src and send-proxy on 1.6

2016-11-18 Thread Janusz Dziemidowicz
2016-11-18 14:27 GMT+01:00 Janusz Dziemidowicz <rrapt...@nails.eu.org>: > listen default > bind : > http-request set-src req.hdr_ip(X-Forwarded-For) > server localhost 127.0.0.1:80 send-proxy Sorry, there are obviously two binds there: bind : bind :

Problem with http-request set-src and send-proxy on 1.6

2016-11-18 Thread Janusz Dziemidowicz
uilt with network namespace support Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. -- Janusz Dziemidowicz

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-19 Thread Janusz Dziemidowicz
on error. The new API "SSL_CTX_set_ecdh_auto" supports real negotiation, as it was always in the design of TLS. Client sends its curves list in the extension, server tries to find a matching curve from a list it supports. There are no clients "not supporting the neg". If the client supp

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-18 Thread Janusz Dziemidowicz
ssing documentation changes;) -- Janusz Dziemidowicz

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-15 Thread Janusz Dziemidowicz
will work right now, but someday, somewhere in the future;) -- Janusz Dziemidowicz

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-15 Thread Janusz Dziemidowicz
User can configure multiple curves if there is sufficiently new OpenSSL. Changes to the documentation would also be nice in the patch :) -- Janusz Dziemidowicz

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-15 Thread Janusz Dziemidowicz
ieve this will also have a very fast implementation, so ability to configure more curves will probably be handy in near future. -- Janusz Dziemidowicz

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-14 Thread Janusz Dziemidowicz
OpenSSL. Probably the best would be to keep current default, so it all works consistently in default configuration, regardless of version of haproxy and OpenSSL. -- Janusz Dziemidowicz

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

2016-04-11 Thread Janusz Dziemidowicz
2016-04-09 2:15 GMT+02:00 Willy Tarreau <w...@1wt.eu>: > On Fri, Apr 08, 2016 at 03:15:22PM +0200, Janusz Dziemidowicz wrote: >> 2016-04-07 17:47 GMT+02:00 Willy Tarreau <w...@1wt.eu>: >> > If someone who can reliably reproduce the issue could check whether 1.6 has

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

2016-04-08 Thread Janusz Dziemidowicz
o test 1.6 next week and see what happens. -- Janusz Dziemidowicz

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

2016-04-04 Thread Janusz Dziemidowicz
2016-03-31 9:46 GMT+02:00 Janusz Dziemidowicz <rrapt...@nails.eu.org>: > About the CPU problem. Reverting 7610073a indeed fixes my problem. If > anyone has any idea what is the problem with this commit I am willing > to test patches:) > Some more details about my setup. All ser

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

2016-03-31 Thread Janusz Dziemidowicz
h makes tickets work properly in all cases. -- Janusz Dziemidowicz

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

2016-03-31 Thread Janusz Dziemidowicz
oss different processes. Are you sure that during your tests traffic hit at least two different processes? If a single one accepted all the connections then resumption with tickets will work, it will break as soon as another process accepts resumption attempt. -- Janusz Dziemidowicz

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

2016-03-30 Thread Janusz Dziemidowicz
is patch I'm kinda sure that it is irrelevant, but I might well be biased. Will try next thing tomorrow morning:) -- Janusz Dziemidowicz

Re: General SSL vs. non-SSL Performance

2016-03-19 Thread Janusz Dziemidowicz
ot;). There is no need to distribute anything apart this local file. The downside is that not all clients support this. -- Janusz Dziemidowicz

Re: Owncloud through Haproxy makes upload not possible

2015-11-19 Thread Janusz Dziemidowicz
server. If you are willing to limit your connection rate on a firewall to a few per second, then fine;) As for your problem. Now that it seems like SSL problem, can you just try with RSA 4096 or 2048? RSA 8192 is really not much tested in most code, so maybe the problem is in fact related. -- Janusz Dziemidowicz

Re: Owncloud through Haproxy makes upload not possible

2015-11-19 Thread Janusz Dziemidowicz
you want a state of the art cryptography you should probably use ECDSA certificate, it will be both faster and more secure. -- Janusz Dziemidowicz

Re: Owncloud through Haproxy makes upload not possible

2015-11-18 Thread Janusz Dziemidowicz
otherwise this whole header is ignored. See RFC7469 section 2.5. Also use tools in browsers, like Chrome net internals, to verify that it is correctly noted by the browser. -- Janusz Dziemidowicz

Re: haproxy 1.5.4 with ssl-bridging

2015-09-30 Thread Janusz Dziemidowicz
ement 1 and set custom HTTP header with client certificate details (search haproxy documentation for X-SSL-Client-CN for example). Your backend will not see client certificate in a SSL handshake, but can access the header for certificate information. -- Janusz Dziemidowicz

Re: [PATCH] Certificate Transparency support

2015-03-07 Thread Janusz Dziemidowicz
; + goto end; + } a call to chunk_destroy seems to be missing. For the rest, the patch has my approval. I'll send updated patch shortly. I've changed this so that SCTL is first parsed from trash and only then copied. Makes it a bit shorter. -- Janusz Dziemidowicz

Re: [PATCH] Certificate Transparency support

2015-03-06 Thread Janusz Dziemidowicz
(for example see certificate at https://www.digicert.com/). So this patch is of interest mainly for people having EV certificate from CA not participating in CT. This patch also requires OpenSSL 1.0.2, which was released just recently, so not many users will push for this:) -- Janusz Dziemidowicz