Re: Proposal about new default SSL log format

2021-07-08 Thread William Lallemand
On Thu, Jul 08, 2021 at 02:48:32PM +0200, Willy Tarreau wrote: > On Thu, Jul 08, 2021 at 02:18:32PM +0200, William Lallemand wrote: > > I saw that you hesitated between "conn_status" and "conn_err_code", the > > "conn_" prefix could be confusing

Re: Proposal about new default SSL log format

2021-07-08 Thread William Lallemand
; *%sslv/%sslc* > I saw that you hesitated between "conn_status" and "conn_err_code", the "conn_" prefix could be confusing at some point once you try to have errors on the frontend and the backend side in the same log-format, I think something starting by "fc_conn_" would be more understandable. That seems good to me, we only need frontend info IMHO. People who need the SSL backend connection are not the most common case so they could make their own log-format with it. -- William Lallemand

Re: Speeding up opentracing build in CI ?

2021-06-17 Thread William Lallemand
; > > Let's wait for the remaining tests to conclude. > > OK that's a net win, openssl-3.0.0-alpha17 dropped from 8'29 to 2'55. > I've just excluded versions 1.x from both the parallel build and the > build_sw target and that's good now. > > Willy Great improvement, thanks! -- William Lallemand

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

2021-06-14 Thread William Lallemand
https://github.com/haproxy/haproxy/commit/1b095cac9468d0c3eeb157e9b1a2947487bd3c83 I thought it disappeared completely from the interface, good to know! Thanks -- William Lallemand

Re: [PATCH 0/4] Use 'feature cmd' in regtests

2021-06-14 Thread William Lallemand
Looks like a good idea imho, it could even be used to provide several kind of regex depending of which regex library you use for example. -- William Lallemand

Re: [PATCH 0/4] Use 'feature cmd' in regtests

2021-06-14 Thread William Lallemand
en skipped: > > 0 tests failed, 4 tests skipped, 105 tests passed > > I don't think this is going to be an issue. But if it is, please complain! > Hm the only problem I have with this, is that we won't be able to see why a test was excluded. -- William Lallemand

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

2021-06-14 Thread William Lallemand
According to their documentation they are running the CI on the actual CPU not a emulated one, so still beter than qemu. -- William Lallemand

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

2021-06-11 Thread William Lallemand
could do it with the alpine image. I you want to build with the musl-gcc wrapper you will need to link the linux headers in the musl headers directory otherwise it won't work the way their package is done. -- William Lallemand

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

2021-06-11 Thread William Lallemand
t on the docker hub. > also, there's small caveat, github actions runs agent inside docker > container, it might have issues with older libc (or musl). > but it worth a try > Let's hope it works in this case. -- William Lallemand

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

2021-06-11 Thread William Lallemand
e to make this work I prefer to run it from github actions, otherwise we'll go with cirrus. Thanks, -- William Lallemand

[PATCH] CI: cirrus: add alpine linux to the jobs

2021-06-11 Thread William Lallemand
This commit adds a CI job to cirrus-ci which builds HAProxy on Alpine Linux, allowing to build and test HAProxy with musl. OpenSSL, PCRE2, Lua 5.3 as well as the prometheus exporter are enabled. GNU grep was purposely installed to run the reg-test script. --- .cirrus.yml | 13 + 1

add alpine linux to the CI

2021-06-11 Thread William Lallemand
Hello guys, I couldn't find a way to launch an alpine job easily with github actions so instead I wrote one for cirrus-ci, It will help debugging Docker images and musl problems. Example of the run here: https://cirrus-ci.com/task/5985082050609152 I'll push it in the master if that's fine with

Re: Speeding up opentracing build in CI ?

2021-06-10 Thread William Lallemand
ted on macos to be certain it's > OK there as well, and I don't know how to get the CPU count there (or > maybe we could just force it to a low value like 2 or 4). > > Willy > Looks fine to me, but from what I remember when debugging some reg-tests there was only one CPU available, I hope I'm wrong. -- William Lallemand

Re: [PATCH] CI: enable openssl-3.0.0 builds

2021-06-07 Thread William Lallemand
On Mon, Jun 07, 2021 at 02:17:24PM +0200, William Lallemand wrote: > > On Mon, Jun 07, 2021 at 02:09:33PM +0200, Tim Düsterhus wrote: > > > > William, > > > > On 6/7/21 1:30 PM, William Lallemand wrote: > > > On Mon, Jun 07, 2021 at 04:02:00PM +0500,

Re: [PATCH] CI: enable openssl-3.0.0 builds

2021-06-07 Thread William Lallemand
On Mon, Jun 07, 2021 at 02:09:33PM +0200, Tim Düsterhus wrote: > Subject: Re: [PATCH] CI: enable openssl-3.0.0 builds > > William, > > On 6/7/21 1:30 PM, William Lallemand wrote: > > On Mon, Jun 07, 2021 at 04:02:00PM +0500, Илья Шипицин wrote: > >> sorry,

Re: [PATCH] CI: enable openssl-3.0.0 builds

2021-06-07 Thread William Lallemand
On Mon, Jun 07, 2021 at 05:08:32PM +0500, Илья Шипицин wrote: > пн, 7 июн. 2021 г. в 16:31, William Lallemand : > > > On Mon, Jun 07, 2021 at 04:02:00PM +0500, Илья Шипицин wrote: > > > sorry, I do not have much spare time to implement that in short time > > > per

Re: [PATCH] CI: enable openssl-3.0.0 builds

2021-06-07 Thread William Lallemand
mething like: make DEBUG_CFLAGS="-g -Wno-deprecated-declarations" -- William Lallemand

Re: [PATCH] CI: enable openssl-3.0.0 builds

2021-06-07 Thread William Lallemand
relevant at some point, not only for OpenSSL, but for the other libs that are linked with haproxy. In my opinion we should only disable them for this specific build of OpenSSL 3.0.0 on the CI, not for everyone in the Makefile. -- William Lallemand

Re: [PATCH] CI: enable openssl-3.0.0 builds

2021-06-02 Thread William Lallemand
nd build without -Werror in order to see the -Wdeprecated-declarations warnings. * port haproxy to the new API (long term goal) to be able to build with openssl 3.0.0 with -Werror. > > @William Lallemand has an appetite to make it > green ;) > I'll fix what I can to be able to buil

Re: [PATCH] CI: switch to the latest stable LibreSSL-3.3.3

2021-05-05 Thread William Lallemand
On Wed, May 05, 2021 at 09:11:08AM +0500, Илья Шипицин wrote: > Hello, > > LibreSSL-3.3.3 just released. patch attached. > > thanks, > Ilya Thanks, pushed in master. -- William Lallemand

Re: Proposal about libslz integration into haproxy

2021-04-21 Thread William Lallemand
it's for a new major release so it's fine in my opinion. -- William Lallemand

[ANNOUNCE] haproxy-2.2.13

2021-04-02 Thread William Lallemand
=haproxy-2.2.git Changelog: http://www.haproxy.org/download/2.2/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : William Lallemand (2): BUG/MEDIUM: ssl: ckch_inst->ctx not assigned with multi-bundle certificates REGTESTS:

Re: 2.2.12 and rsa/ecdsa cert regression (crash on startup) ?

2021-04-01 Thread William Lallemand
On Thu, Apr 01, 2021 at 02:26:07PM +0200, William Lallemand wrote: > On Thu, Apr 01, 2021 at 10:19:31AM +, Jarno Huuskonen wrote: > > Hello, > > > > I'm seeing a regression with 2.2.12 and using rsa and ecdsa certs on bind. > > (cert1.pem.ecdsa > > cert1.

Re: 2.2.12 and rsa/ecdsa cert regression (crash on startup) ?

2021-04-01 Thread William Lallemand
or the report, I can reproduce the problem, I'm investigating. -- William Lallemand

Re: [PATCH] BUILD: ssl: use EVP_CIPH_GCM_MODE macro instead of HA_OPENSSL_VERSION

2021-03-26 Thread William Lallemand
On Fri, Mar 26, 2021 at 11:47:48PM +0500, Илья Шипицин wrote: > Hello, > > yet another patch that removes few HA_OPENSSL_VERSION usage. > > Ilya Pushed in master, thanks. -- William Lallemand

Re: [PATCH] fine guard for ssl random extraction functions

2021-03-26 Thread William Lallemand
On Thu, Mar 25, 2021 at 12:52:42AM +0500, Илья Шипицин wrote: > Hello, > > yet another patch that removes several occurrences of HA_OPENSSL_VERSION > also, fetches enabled for BoringSSL and LibreSSL-2.7.0 and higher > > Ilya Looks good, pushed in master, thanks! -- William Lallemand

Re: [PATCH] fine guard for ssl random extraction functions

2021-03-26 Thread William Lallemand
ou please have a look ? > I'll take a look. -- William Lallemand

Re: Fwd: [PATCH] cleanup unused definitions

2021-03-24 Thread William Lallemand
sl: use feature guard instead of openssl > > version for ecdh functions > > To: HAProxy , Willy Tarreau > > Delivered-To: haproxy@formilux.org > > List-Id: Haproxy > > > > ping > > > > ??, 21 ???. 2021 ?. ? 13:02, ??? : > > > > > Hello, > > > > > > yet another patch that reduces number of HA_OPENSSL_VERSION use > > > > > > Ilya > > > > > > > > > > > - End forwarded message - > Thanks, both merged. -- William Lallemand

Re: [PATCH] BUILD: ssl: use feature guard instead of openssl version for ecdh functions

2021-03-24 Thread William Lallemand
On Wed, Mar 24, 2021 at 11:29:19AM +0500, Илья Шипицин wrote: > ping > > вс, 21 мар. 2021 г. в 13:02, Илья Шипицин : > > > Hello, > > > > yet another patch that reduces number of HA_OPENSSL_VERSION use > > > > Ilya > > > > > > Thanks, merged. -- William Lallemand

Re: [PATCH] cleanup unused definitions

2021-03-24 Thread William Lallemand
On Wed, Mar 24, 2021 at 11:29:03AM +0500, Илья Шипицин wrote: > ping > > сб, 20 мар. 2021 г. в 22:43, Илья Шипицин : > > > while refactoring HA_OPENSSL_VERSION usage, > > I've found unused definitions. nice. > > > > > > Ilya > > Thanks, merged. -- William Lallemand

Re: is it possible to rotate TLS keys in scheduled way ?

2021-03-23 Thread William Lallemand
to be pushed each time a ticket expired. -- William Lallemand

Re: [PATCH] BUG/MINOR: sample: Rename SenderComID/TargetComID to SenderCompID/TargetCompID

2021-03-10 Thread William Lallemand
g56.html > > > > > > > > > > > > > > > > Thanks, > > > > -- Daniel > > > > > > > > Hi, > > Thank you Daniel for reporting / fixing this. > The patch looks correct and may be applied. > > Baptiste Thanks, applied. -- William Lallemand

Re: [PATCH] BUILD: SSL: introduce fine guard for openssl specific "RAND_keep_random_devices_open"

2021-02-22 Thread William Lallemand
aproxy/openssl-compat.h > That guard does not depend anymore on HA_OPENSSL_VERSION Thanks, merged! -- William Lallemand

Re: [PATCH] introduce guard for SCTL openssl specific functions

2021-02-18 Thread William Lallemand
On Thu, Feb 18, 2021 at 07:06:14PM +0500, Илья Шипицин wrote: > ping :) > > On Sat, Feb 13, 2021, 11:48 AM Илья Шипицин wrote: > > > I changed macro name, new patch attached > > Merged, thanks. -- William Lallemand

Re: [PATCH] introduce guard for SCTL openssl specific functions

2021-02-12 Thread William Lallemand
On Sat, Feb 13, 2021 at 12:21:56AM +0500, Илья Шипицин wrote: > Hello, > > let as switch to feature macro instead of HA_OPENSSL_VERSION. > > Ilya Hello Ilya, For more concistency with the other macros I'd rather use "HAVE_SSL_SCTL" instead of "HAVE_OPENSSL

Re: Should server crt be consider as crt-list and handled via the runtime API?

2021-02-08 Thread William Lallemand
h, I think you meant "show ssl cert"? The crt-list are only useful to manage multiple certificates and SNIs on a bind line, in the case of a server line you only need one certicate. -- William Lallemand

Re: [PATCH] BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK macro

2021-02-08 Thread William Lallemand
On Mon, Feb 08, 2021 at 05:17:32PM +0500, Илья Шипицин wrote: > usually I do such a stupid mistakes on friday. > I wonder about next friday :( > > new patch attached. > > Ilya > Don't worry it happens to me quite a lot :-) Applied, thanks. -- William Lallemand

Re: [PATCH] BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK macro

2021-02-08 Thread William Lallemand
SL_CTRL_SET_MSG_CALLBACK > SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); > #endif > #ifdef HAVE_OPENSSL_KEYLOG > -- > 2.29.2 > It looks like you sent the exact same patch by mistake. -- William Lallemand

Re: [PATCH} improve ssl guarding

2021-02-07 Thread William Lallemand
On Sat, Feb 06, 2021 at 09:18:30PM +0500, Илья Шипицин wrote: > you are right. > I've fixed it. > Thanks, both pushed in master. -- William Lallemand

Re: Makefile, environment variables and REGTESTS_TYPES

2021-02-05 Thread William Lallemand
On Fri, Feb 05, 2021 at 10:31:53AM +0100, William Lallemand wrote: > Ok, I'm going to do the change in the help command then. > In fact I just take a look again at this, and I think we've done the patch the wrong way. In 'run-regtests.sh' there is already a default setting: REGTESTS

Re: Makefile, environment variables and REGTESTS_TYPES

2021-02-05 Thread William Lallemand
On Fri, Feb 05, 2021 at 08:41:47AM +0100, Willy Tarreau wrote: > Hi William, > > On Fri, Jan 29, 2021 at 02:44:27PM +0100, William Lallemand wrote: > > Hello List, > > > > According to `make reg-tests-help` the REGTESTS_TYPES parameter must be > > conf

Makefile, environment variables and REGTESTS_TYPES

2021-01-29 Thread William Lallemand
ly variable that use "?=" in the Makefile and I'm not sure we want to proceed this way. Regards, -- William Lallemand

Re: [PATCH] BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK macro

2021-01-23 Thread William Lallemand
7000L > +#ifdef SSL_CTRL_SET_MSG_CALLBACK > SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); > #endif > #ifdef HAVE_OPENSSL_KEYLOG > -- > 2.29.2 > Please add a commit message in your patches, patches with only a subject line won't be taken. See this part of the contrib

Re: [PATCH} improve ssl guarding

2021-01-23 Thread William Lallemand
p;& !defined OPENSSL_NO_TLSEXT > && !defined OPENSSL_IS_BORINGSSL) > +#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT > sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, > ssl_sock_sctl_free_func); > #endif > -- William Lallemand

Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version

2021-01-22 Thread William Lallemand
On Sat, Jan 23, 2021 at 12:23:01AM +0500, Илья Шипицин wrote: > updated patch attached > Thanks, merged. -- William Lallemand

Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version

2021-01-22 Thread William Lallemand
;> I'm not sure it is good thing. > >> > >> if you thing it is, please modify patch when applying. I'm ok with such > >> change. > >> > >> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин : > >> > >>> > >>> > >>> пн

Re: [PATCH 1/1] BUG/MINOR: worker: define _GNU_SOURCE for strsignal()

2021-01-21 Thread William Lallemand
proxy.c:2859 > #10 0x004f63b7 in run_thread_poll_loop (data=) > at src/haproxy.c:3028 > #11 0x004faaac in main (argc=, > argv=0x7fffedc68498) at src/haproxy.c:904 > > See: https://man7.org/linux/man-pages/man3/strsignal.3.html Thanks, merged. I've added the missing backport info in the commit message and renamed the worker tag by mworker. -- William Lallemand

Re: [PATCH 1/3] MINOR: cache: Remove the `hash` part of the accept-encoding secondary key

2021-01-18 Thread William Lallemand
client that sends: > > accept-encoding: br,br,br,br,[…],br > > > The comment of the accept_encoding_normalizer function does not match > > its behavior anymore either. > > Indeed. I adjusted that on v2. > > Best regards > Tim Düsterhus > Thanks to both of you, applied. -- William Lallemand

Re: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-18 Thread William Lallemand
On Thu, Jan 14, 2021 at 12:13:17PM +0100, William Dauchy wrote: > On Thu, Jan 14, 2021 at 11:21 AM William Lallemand > wrote: > > VTest is not really suited to test the process management, for example > > the tests doing a reload have timing issues because VTest is not abl

Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version

2021-01-18 Thread William Lallemand
nt *al, void *priv) > { We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c too. Why don't you define a macro constant with the feature name in openssl-compat.h and test this constant in ssl_sock.c? Like it was done for various fonctions. Regards, -- William Lallemand

Re: [PATCH] MINOR: build: discard echoing in help target

2021-01-18 Thread William Lallemand
RE STATIC_PCRE2 TPROXY LINUX_TPROXY > LINUX_SPLICE LIBCRYPT CRYPT_H GETADDRINFO OPENSSL LUA FUTEX ACCEPT4 CLOSEFROM > ZLIB SLZ CPU_AFFINITY TFO NS DL RT DEVICEATLAS 51DEGREES WURFL SYSTEMD > OBSOLETE_LINKER PRCTL THREAD_DUMP EVPORTS OT QUIC; echo " $*" | (fmt || cat) > 2>/dev/null > EPOLL KQUEUE NETFILTER PCRE PCRE_JIT PCRE2 PCRE2_JIT PRIVATE_CACHE > > This commit ensure the help target always discard line echoing > regardless of V variable as done for reg-tests-help target. Thanks, merged! -- William Lallemand

Re: [PATCH] DOC: replace use of HAproxy with HAProxy

2021-01-17 Thread William Lallemand
sh-cache-haproxy/d02286d.vtc > ** h10.0 Reset and free h1 haproxy 12728 > ** h10.0 Wait > -** h10.0 Stop HAproxy pid=12728 > +** h10.0 Stop HAProxy pid=12728 > h10.0 Kill(2)=0: Success > **** h1 0.0 STDOUT poll 0x10 > ** h10.1 WAIT4 pid=12728 status=0x0002 (user 0.00 sys 0.004000) These are VTest output, you probably want to patch VTest or the example won't be accurate! -- William Lallemand

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-17 Thread William Lallemand
> PRODUCT_STATUS "\n", haproxy_version, haproxy_date); > > if (strlen(PRODUCT_URL_BUGS) > 0) { > I wanted to do this a long time ago, and at this time we decided to keep it as it was to not break existing scripts. I think we'll let Willy decide if that's a good idea now :-) Regards, -- William Lallemand

Re: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-14 Thread William Lallemand
On Thu, Jan 14, 2021 at 10:35:27AM +0100, William Dauchy wrote: > On Wed, Jan 13, 2021 at 1:22 PM William Lallemand > wrote: > > Thanks to both of you! merged in master. > > a side note: yesterday evening I wanted to have a look at a reg-test > in order to prevent it in the

Re: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-13 Thread William Lallemand
review. > thanks for your time reviewing the issue. > regards, Thanks to both of you! merged in master. -- William Lallemand

Re: [ANNOUNCE] haproxy-2.4-dev5

2021-01-07 Thread William Lallemand
I, it seems they succeed. But that doesn't mean they're reliable > or anything, very often regtests start to fail sporadically in a single > environment before we figure the problem. > These reg-tests are of types "slow" and "broken" not launched by the CI. -- William Lallemand

Re: [PATCH] improve SSL guarding, use macro instead of openssl version

2021-01-07 Thread William Lallemand
On Thu, Jan 07, 2021 at 12:28:02PM +0500, Илья Шипицин wrote: > Hi, > > another series of removing HA_OPENSSL_VERSION > > Ilya Thanks, merged. -- William Lallemand

Re: [PATCH 1/2] CLEANUP: Reduce scope of `header_name` in http_action_store_cache()

2021-01-05 Thread William Lallemand
02, 2021 at 10:47:17PM +0100, Tim Duesterhus wrote: > This is only required to process the `age` header. Thanks Tim, pushed in master. -- William Lallemand

Re: [PATCH] more granular guard for SSL_CTX_add_server_custom_ext

2020-12-15 Thread William Lallemand
On Fri, Dec 11, 2020 at 09:58:31PM +0500, Илья Шипицин wrote: > ping :) > > пт, 27 нояб. 2020 г. в 02:58, Илья Шипицин : > > > Hello, > > > > let us continue to improve ssl guarding. > > > > Ilya > > Thanks, merged. -- William Lallemand

Re: HAproxy 2.2.5 possible bug in ssl crt-list socket commands?

2020-12-15 Thread William Lallemand
I can never remove it again. > For people interested, the bug was discussed here: https://github.com/haproxy/haproxy/issues/1004 -- William Lallemand

Re: dynamic ssl certificate updates with changed intermediate

2020-12-11 Thread William Lallemand
On Fri, Dec 11, 2020 at 02:53:13PM +0100, Björn Jacke wrote: > Hi William, > > On 11.12.20 12:29, William Lallemand wrote: > > If we want the "set ssl ocsp-response" command to work in this particular > > case, > > I think we need to change the key, but

Re: dynamic ssl certificate updates with changed intermediate

2020-12-11 Thread William Lallemand
set ssl ocsp-response" command to work in this particular case, I think we need to change the key, but the problem is that the OCSP response only contains an OCSP_CERTID for helping us finding where we should apply the certificate, and the serialNumber alone is not enough to index the response. -- William Lallemand

Re: dynamic ssl certificate updates with changed intermediate

2020-12-10 Thread William Lallemand
On Thu, Dec 10, 2020 at 03:24:39PM +0100, Björn Jacke wrote: > Hi William, > > On 09.12.20 09:27, William Lallemand wrote: > > $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat > > server2.fullchain.pem)\n\n" | socat - /tmp/master.socket >

Re: dynamic ssl certificate updates with changed intermediate

2020-12-09 Thread William Lallemand
On Tue, Dec 08, 2020 at 06:42:13PM +0100, Björn Jacke wrote: > Hi William, > > On 08.12.20 15:13, William Lallemand wrote:> I then updated the > certificate this way: > > > > $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat > >

Re: dynamic ssl certificate updates with changed intermediate

2020-12-08 Thread William Lallemand
On Tue, Dec 08, 2020 at 11:48:41AM +0100, William Lallemand wrote: > On Sat, Dec 05, 2020 at 02:57:03AM +0100, Björn Jacke wrote: > > Hi, > > > > I ran into an issue with haproxy 2.2.6, where I'm not sure if this is > > working as intended or not. I have a fro

Re: dynamic ssl certificate updates with changed intermediate

2020-12-08 Thread William Lallemand
iate > certificate of course. > Looks like a bug to me, the intermediate certificate is indeed supposed to be updated, I'll look into this. -- William Lallemand

[ANNOUNCE] haproxy-2.3.2

2020-11-28 Thread William Lallemand
Dauchy (1): REGTESTS: converter: add url_dec test William Lallemand (6): DOC: add missing 3.10 in the summary BUG/MINOR: ssl: segv on startup when AKID but no keyid BUG/MEDIUM: ssl/crt-list: bundle support broken in crt-list BUG/MEDIUM: ssl: error when no certificate are found

Re: openssl-3.0 ?

2020-11-27 Thread William Lallemand
ere not totally replaced (the ENGINE part for example) so we can't remove that for now. The deprecated flag is an indicator and I don't know any distribution which build with this way, so we are safe for now, but we should definitively migrate what is deprecated if that's possible. -- William Lallemand

Re: [PATCH] DOC: clarify how to create a fallback crt

2020-11-24 Thread William Lallemand
On Tue, Nov 24, 2020 at 08:59:05AM -0300, Joao Morais wrote: > > > > Em 24 de nov de 2020, à(s) 05:47, William Lallemand > > escreveu: > > > > Hello Joao, > > > > On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: > >> >

Re: [PATCH] unveal the power of BoringSSL by setting its own version back to 1.1.1

2020-11-24 Thread William Lallemand
On Sat, Nov 21, 2020 at 11:23:32PM +0500, Илья Шипицин wrote: > hopefully final BoringSSL patches this week. > > Ilya Thanks, all merged! -- William Lallemand

Re: [PATCH] DOC: clarify how to create a fallback crt

2020-11-24 Thread William Lallemand
> declared certificate act as a fallback. It looks good in my opinion, can you make a new patch for it? Thanks -- William Lallemand

Re: [PATCH] DOC: clarify how to create a fallback crt

2020-11-21 Thread William Lallemand
e, the fallback certificate will be "default.pem", and in the second case, it will be the fist line of "list1.crtlist". -- William Lallemand

Re: [PATCH] DOC: clarify how to create a fallback crt

2020-11-21 Thread William Lallemand
On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote: -- William Lallemand 0001-DOC-clarify-how-to-create-a-fallback-crt.patch Description: Binary data

Re: [PATCH] simplify openssl async detection

2020-11-19 Thread William Lallemand
On Thu, Nov 19, 2020 at 12:58:06AM +0500, Илья Шипицин wrote: > ping :) ? > > сб, 14 нояб. 2020 г. в 02:04, Илья Шипицин : > > > Hi. > > > > next define improvement. > > > > Ilya > > Thanks, merged. -- William Lallemand

Re: [PATCH v5 0/2] add set server ssl command

2020-11-18 Thread William Lallemand
erver.c | 41 - > src/ssl_sock.c | 17 ++ > 13 files changed, 165 insertions(+), 46 deletions(-) > create mode 100644 reg-tests/server/cli_set_ssl.vtc > Thanks, now merged. -- William Lallemand

Re: do we want to keep CentOS 6 builds?

2020-11-17 Thread William Lallemand
gets regular > maintenance till April 2021 and extended maintenance till April 2024. > And yes, I do want to see older versions of openssl continue to work as > long as it doesn't come with too high a maintenance cost. > It looks worse with CentOS, it uses a 1.0.1 release :-) -- William Lallemand

Re: Use default/first crt only if all snifilter fails

2020-11-17 Thread William Lallemand
On Tue, Nov 17, 2020 at 09:18:43AM -0300, Joao Morais wrote: > > > > Em 17 de nov de 2020, à(s) 05:28, William Lallemand > > escreveu: > > > > You could also do > > > > /tmp/default.pem !* > > > > That will ignore the creation

Re: Use default/first crt only if all snifilter fails

2020-11-17 Thread William Lallemand
On Tue, Nov 17, 2020 at 09:09:38AM +0100, William Lallemand wrote: > On Mon, Nov 16, 2020 at 08:44:58PM -0300, Joao Morais wrote: > > > > Hello list, I have a `crt-list` keyword configuring a list of > > crt/keys, something like this: > > > > /t

Re: Use default/first crt only if all snifilter fails

2020-11-17 Thread William Lallemand
rk on the first line. Ideally we need a "crt-fallback" keyword which insert the crt in the default_ctx without inserting it in the SNI tree. -- William Lallemand

[ANNOUNCE] haproxy-2.3.1

2020-11-13 Thread William Lallemand
: Extract cookie value even when no cookie name Thierry Fournier (2): BUG/MINOR: pattern: a sample marked as const could be written BUG/MINOR: lua: set buffer size during map lookups William Lallemand (3): BUG/MEDIUM: ssl/crt-list: correctly insert crt-list line if crt already

Re: [PATCH v4 2/2] MEDIUM: cli/ssl: configure ssl on server at runtime

2020-11-11 Thread William Lallemand
s good. I think a VTC file which tests this feature could also be a good idea, so we don't break this accidentaly. Thanks! -- William Lallemand

Re: [PATCH v4 1/2] MINOR: ssl: create common ssl_ctx init

2020-11-11 Thread William Lallemand
On Thu, Oct 29, 2020 at 01:17:55PM +0100, William Dauchy wrote: > so we can reuse it later > > Signed-off-by: William Dauchy Could you add a little more explanations in the commit message for this one, and separate clearly the subject from the commit message? Thanks! -- William Lallemand

Re: Updated CI using GitHub actions

2020-11-10 Thread William Lallemand
t of view :-) -- William Lallemand

Re: [ANNOUNCE] haproxy-2.3.0

2020-11-06 Thread William Lallemand
rs should consider this one if they didn't emit the 2.3.0 yet. We'll probably make a 2.3.1 release at the end of next week. Sorry for the mess! -- William Lallemand

Re: [PATCH] check ssl keylog by feature, not by version defined

2020-11-03 Thread William Lallemand
On Tue, Nov 03, 2020 at 02:19:10PM +0500, Илья Шипицин wrote: > Hi, > > the less we use HA_OPENSSL_VERSION_NUMBER, the better. > > cheers, > Ilya Thanks, merged in master. -- William Lallemand

Re: [ANNOUNCE] haproxy-2.3-dev9

2020-11-03 Thread William Lallemand
hat locally, I never > > linked haproxy with the no-deprecated mode before, I don't even know if > > > I can reproduce that on my laptop with OpenSSL 1.1.1g, no need to set the no deprecated mode. -- William Lallemand

Re: [ANNOUNCE] haproxy-2.3-dev9

2020-11-03 Thread William Lallemand
d to test that locally, I never linked haproxy with the no-deprecated mode before, I don't even know if every haproxy features are supported with this mode. > > should we address those failures before 2.3 release ? > It's better if we can fix the FreeBSD issue and at least identify what the problems are with the openSSL issue. -- William Lallemand

Re: [PATCH] improve openssl feature detection

2020-11-03 Thread William Lallemand
On Sat, Oct 31, 2020 at 02:13:35AM +0500, Илья Шипицин wrote: > hi, > > let us use SSL_CTRL_GET_RAW_CIPHERLIST instead of versions. > > cheers, > Ilya Thanks, pushed in master. -- William Lallemand

Re: [PATCH 0/2] Cache fixes

2020-10-27 Thread William Lallemand
bably failing > roughly never, but I guess it's better to be safe there. > I think the impact is reasonable here, I'll take this one. Thanks! -- William Lallemand

Re: [PATCH] update h2spec to 2.6.0

2020-10-27 Thread William Lallemand
On Sun, Oct 25, 2020 at 07:37:16PM +0500, Илья Шипицин wrote: > Hi, > > we missed couple of releases. > > Ilya Merged, thanks. -- William Lallemand

Re: [PATCH] refactor specific openssl early data detection check

2020-10-27 Thread William Lallemand
> Ilya Totally agree with this, merged in master. -- William Lallemand

Re: [PATCH] BUG/MEDIUM: ssl: OCSP must work with BoringSSL

2020-10-27 Thread William Lallemand
gt; > > Thanks, pushed in master and backported in 2.2 and 2.1! -- William Lallemand

Re: stable-bot: Bugfixes waiting for a release 2.2 (20), 2.1 (16), 2.0 (15), 1.8 (20)

2020-10-22 Thread William Lallemand
On Thu, Oct 22, 2020 at 08:41:35PM +0200, William Lallemand wrote: > On Thu, Oct 22, 2020 at 10:20:12PM +0500, Илья Шипицин wrote: > > can we backport > > http://git.haproxy.org/?p=haproxy.git;a=commit;h=b3201a3e077198b3f75ebe8661aa45589b811552 > > to 2.1 as well ?

Re: stable-bot: Bugfixes waiting for a release 2.2 (20), 2.1 (16), 2.0 (15), 1.8 (20)

2020-10-22 Thread William Lallemand
sions each time they change their API. That's not how a stable branch is supposed to work. Since people using boringSSL does not use a boringSSL release, I don't see why they would need a haproxy release :-) -- William Lallemand

Re: [PATCH] update trvis-ci to Ubuntu 20.04

2020-10-22 Thread William Lallemand
> ninja-build, libpcre3-dev ] > Is there a reason we need both libprcre packages? -- William Lallemand

Re: [PATCH] guard RAND_keep_random_devices_open from BoringSSL

2020-10-19 Thread William Lallemand
/* close random device FDs */ > RAND_keep_random_devices_open(0); > #endif > -- > 2.26.2 > This one should be dropped? -- William Lallemand

Re: [PATCH] change BoringSSL emulated version back to 1.1.0

2020-10-19 Thread William Lallemand
_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER > #endif Hello, That's interesting to make it build with relatively new versions of boringSSL. But it does not activate TLSv1.3 keywords and features this way. That should probably be enough for backporting in previous versions though. -- William Lallemand

Re: [PATCH] BUG/MINOR: mworker: delete the pidfile when the master process is stopped

2020-10-13 Thread William Lallemand
AProxy, you will still have the same problem if the master crashes. It's also a big change of behavior that could break existing scripts. In my opinion this should be done this in your init script. -- William Lallemand

Re: how to use tune.ssl.keylog

2020-10-13 Thread William Lallemand
ylog And then compose a SSLKEYLOGFILE from your logs that you will open with wireshark. -- William Lallemand

Re: [PATCH v2 0/4] add set server ssl command

2020-10-06 Thread William Lallemand
? Willy has maybe a better suggestion about this. -- William Lallemand

  1   2   3   4   5   6   >