śr., 23 sty 2019 o 11:53 Janusz Dziemidowicz napisał(a):
> 1.14.2 is current version in Debian testing. Debian seems reluctant to
> use "mainline" nginx versions (1.15.x) so 1.14.x might end in Debian
> 10. I'll try to file Debian bug report later today.
https://bugs
n Debian testing. Debian seems reluctant to
use "mainline" nginx versions (1.15.x) so 1.14.x might end in Debian
10. I'll try to file Debian bug report later today.
--
Janusz Dziemidowicz
penssl s_client -connect HOST:PORT (openssl >= 1.1.1)
Just type 'K' and press enter. If the server is broken then connection
will be aborted.
www.github.com:443, currently broken:
read R BLOCK
K
KEYUPDATE
read R BLOCK
read:errno=0
mail.google.com:443, working:
read R BLOCK
K
KEYUPDATE
--
Janusz Dziemidowicz
o don't support TLS 1.3
And just for reference, I've found Chrome bug with this problem (as I
am interested when this will get enabled to keep all my systems
updated) https://bugs.chromium.org/p/chromium/issues/detail?id=923685
--
Janusz Dziemidowicz
which might warrant some updates to
documentation about allow-0rtt option?
--
Janusz Dziemidowicz
pled
with early data this is exactly something that TLS 1.3 RFC warns
against. This probably is due to haproxy using external session
management.
I'll try to dig more into this on weekend, now that I know where to look.
--
Janusz Dziemidowicz
aproxy with TLS session handling.
--
Janusz Dziemidowicz
must call
SSL_set_max_early_data with the amount of bytes it is willing to read.
The above simply does... nothing.
Is it supposed to work at all or do I miss something? ;)
--
Janusz Dziemidowicz
n.
Sorry for being late, but 1.8.13 fixes the CLOSE_WAIT problem for me too :)
Now I have to dig into protocol errors I get when enabling h2, but
this will probably happen next week. I will create a new thread for
this.
--
Janusz Dziemidowicz
tting in CLOSE_WAIT for over 30
minutes).
Since I'm also affected by SPDY_PROTOCOL_ERROR I mentioned earlier I
must disable h2 now.
--
Janusz Dziemidowicz
is another free that I failed to detect.
>
> Are you able to trigger this on a trivial config ? Maybe it only happens
> when certain features you have in your config are enabled ?
I've reported this some time ago :)
https://www.mail-archive.com/haproxy@formilux.org/msg30093.html
--
Janusz Dziemidowicz
error_code = "5 (STREAM_CLOSED)"
--> stream_id = 129
However I'm pretty sure I was doing exactly the same yesterday and had
no such problem.
Anyway, I'm reverting back to clean 1.8.9 and h2 handled by nghttpx.
I'd prefer not to do any more tests before Monday ;)
--
Janusz Dziemidowicz
2018-06-14 19:49 GMT+02:00 Willy Tarreau :
> On Thu, Jun 14, 2018 at 07:22:34PM +0200, Janusz Dziemidowicz wrote:
>> 2018-06-14 18:56 GMT+02:00 Willy Tarreau :
>>
>> > If you'd like to run a test, I'm attaching the patch.
>>
>> Sure, but you forgot to attach it
2018-06-14 18:56 GMT+02:00 Willy Tarreau :
> If you'd like to run a test, I'm attaching the patch.
Sure, but you forgot to attach it :)
--
Janusz Dziemidowicz
:443 MY_IP:54514 CLOSE_WAIT 538049/haproxy
haproxy logs (I have dontlognormal enabled): https://pastebin.com/sUsa6jNQ
--
Janusz Dziemidowicz
,UP,200,2,0,,0,15377,0,,1,4,0,,373309,,1,14,,3320,368563,1101,0,1873,12008383545,27962,0,0,0,0,0,0,,,0,18,5,1763433,,http,roundrobin,,,
--
Janusz Dziemidowicz
2018-06-13 19:14 GMT+02:00 Willy Tarreau :
> On Wed, Jun 13, 2018 at 07:06:58PM +0200, Janusz Dziemidowicz wrote:
>> 2018-06-13 14:42 GMT+02:00 Willy Tarreau :
>> > Hi Milan, hi Janusz,
>> >
>> > thanks to your respective traces, I may have come up with
SE_WAIT sockets still
accumulate if I switch native h2 on. Milan should probably double
check this though.
https://pasteboard.co/HpJj72H.png
I'll try move some low traffic site to a separate instance tomorrow,
maybe I'll be able to capture some traffic too.
--
Janusz Dziemidowicz
stats, etc.), but I've been stripping it
down and down and what I've attached is still producing this issue for
me.
Anyway, I'll do another round of experiments (without tfo) tomorrow.
--
Janusz Dziemidowicz
ansparent ssl alpn h2,http/1.1 curves X25519:P-256
tls-ticket-keys FILE crt FILE
http-request set-header X-Forwarded-For %ci unless LOCALHOST
http-request set-header X-Forwarded-Proto https unless { dst_port 80 }
http-request set-header X-Forwarded-Proto http if { dst_port 80 }
default_backend php
--
Janusz Dziemidowicz
OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
--
Janusz Dziemidowicz
ings for me). Maybe I'll
find some time to look into this later.
Regardless, this patch is rather safe and should probably be applied
anyway, if there are no concerns about it (and probably backported to 1.7).
--
Janusz Dziemidowicz
Invalid OCSP file (for example empty one that can be used to enable
OCSP response to be set dynamically later) causes errors that are
placed on OpenSSL error stack. Those errors are not cleared so
anything that checks this stack later will fail.
Following configuration:
bind :443 ssl crt
//github.com/grahamedgecombe/nginx-ct/issues/13
And OpenSSL bug report: https://github.com/openssl/openssl/issues/2180
--
Janusz Dziemidowicz
2016-11-18 14:27 GMT+01:00 Janusz Dziemidowicz <rrapt...@nails.eu.org>:
> listen default
> bind :
> http-request set-src req.hdr_ip(X-Forwarded-For)
> server localhost 127.0.0.1:80 send-proxy
Sorry, there are obviously two binds there:
bind :
bind :
uilt with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
--
Janusz Dziemidowicz
on error. The new API "SSL_CTX_set_ecdh_auto" supports
real negotiation, as it was always in the design of TLS. Client sends
its curves list in the extension, server tries to find a matching
curve from a list it supports.
There are no clients "not supporting the neg". If the client supp
ssing documentation changes;)
--
Janusz Dziemidowicz
will work right now, but someday,
somewhere in the future;)
--
Janusz Dziemidowicz
User can configure multiple curves if
there is sufficiently new OpenSSL.
Changes to the documentation would also be nice in the patch :)
--
Janusz Dziemidowicz
ieve this will
also have a very fast implementation, so ability to configure more
curves will probably be handy in near future.
--
Janusz Dziemidowicz
OpenSSL. Probably the best
would be to keep current default, so it all works consistently in
default configuration, regardless of version of haproxy and OpenSSL.
--
Janusz Dziemidowicz
2016-04-09 2:15 GMT+02:00 Willy Tarreau <w...@1wt.eu>:
> On Fri, Apr 08, 2016 at 03:15:22PM +0200, Janusz Dziemidowicz wrote:
>> 2016-04-07 17:47 GMT+02:00 Willy Tarreau <w...@1wt.eu>:
>> > If someone who can reliably reproduce the issue could check whether 1.6 has
o test 1.6 next week and see what happens.
--
Janusz Dziemidowicz
2016-03-31 9:46 GMT+02:00 Janusz Dziemidowicz <rrapt...@nails.eu.org>:
> About the CPU problem. Reverting 7610073a indeed fixes my problem. If
> anyone has any idea what is the problem with this commit I am willing
> to test patches:)
> Some more details about my setup. All ser
h makes tickets work
properly in all cases.
--
Janusz Dziemidowicz
oss different processes.
Are you sure that during your tests traffic hit at least two different
processes? If a single one accepted all the connections then
resumption with tickets will work, it will break as soon as another
process accepts resumption attempt.
--
Janusz Dziemidowicz
is patch I'm kinda sure
that it is irrelevant, but I might well be biased. Will try next thing
tomorrow morning:)
--
Janusz Dziemidowicz
ot;). There is no
need to distribute anything apart this local file. The downside is
that not all clients support this.
--
Janusz Dziemidowicz
server.
If you are willing to limit your connection rate on a firewall to a
few per second, then fine;)
As for your problem. Now that it seems like SSL problem, can you just
try with RSA 4096 or 2048? RSA 8192 is really not much tested in most
code, so maybe the problem is in fact related.
--
Janusz Dziemidowicz
you want a state of the art cryptography you
should probably use ECDSA certificate, it will be both faster and more
secure.
--
Janusz Dziemidowicz
otherwise
this whole header is ignored. See RFC7469 section 2.5. Also use tools
in browsers, like Chrome net internals, to verify that it is correctly
noted by the browser.
--
Janusz Dziemidowicz
ement 1
and set custom HTTP header with client certificate details (search
haproxy documentation for X-SSL-Client-CN for example). Your backend
will not see client certificate in a SSL handshake, but can access the
header for certificate information.
--
Janusz Dziemidowicz
;
+ goto end;
+ }
a call to chunk_destroy seems to be missing.
For the rest, the patch has my approval.
I'll send updated patch shortly. I've changed this so that SCTL is
first parsed from trash and only then copied. Makes it a bit shorter.
--
Janusz Dziemidowicz
(for example see certificate at
https://www.digicert.com/). So this patch is of interest mainly for
people having EV certificate from CA not participating in CT. This
patch also requires OpenSSL 1.0.2, which was released just recently,
so not many users will push for this:)
--
Janusz Dziemidowicz
45 matches
Mail list logo