Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Willy Tarreau
On Sat, Dec 21, 2019 at 01:19:30AM +0100, Lukas Tribus wrote: > You can merge the patch I posted today, as there is consensus for this > particular fix: > https://www.mail-archive.com/haproxy@formilux.org/msg35760.html > > It should be backported to 2.0 (or even 1.9 - I forgot to mention that >

Re: move fcgi from nginx to haproxy

2019-12-20 Thread Christopher Faulet
Le 20/12/2019 à 15:53, Aleksandar Lazic a écrit : Hi. Luckly that haproxy 2.1 have now the feature of fcgi proto it's now time to move from nginx to haproxy for the loadbalancing part for me. There are several features from nginx conf which I would like to port to haproxy conf therefore I need

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Илья Шипицин
сб, 21 дек. 2019 г. в 01:44, Rosen Penev : > On Fri, Dec 20, 2019 at 10:54 AM Илья Шипицин > wrote: > > > > > > > > пт, 20 дек. 2019 г. в 22:39, Lukas Tribus : > >> > >> Hello Ilya, > >> > >> > >> > >> sorry about the delay ... > >> > >> > >> On Wed, 27 Nov 2019 at 07:11, Илья Шипицин > wrote:

[PATCH] isolating ssl lib with rpath instead of LD_LIBRARY_PATH

2019-12-20 Thread Илья Шипицин
hello, initially modyfing LD_LIBRARY_PATH seemed to be good, but it turned out that other dynamically linked utilities also use ssl lib which is not wanted. using rpath in turn is more intelligent way of dynamic linking. Cheers, Ilya Shipitcin From e9f95cc6fd8b61ee1a4aef05adade30fa72e5cd7 Mon

Re: [RFC PATCH] HTTPS connection reuse with SNI

2019-12-20 Thread Joshua Knox
Hi Julien - I'm not entirely sure I understand your comment. I think that you may be saying that the connection should never be flagged as private for SNI. That makes sense to me, and would be an easy alternative diff, but seems to run counter to Willy's intent in commit 387ebf84dd, as well as

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Rosen Penev
On Fri, Dec 20, 2019 at 10:54 AM Илья Шипицин wrote: > > > > пт, 20 дек. 2019 г. в 22:39, Lukas Tribus : >> >> Hello Ilya, >> >> >> >> sorry about the delay ... >> >> >> On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: >> > >> > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) >> > +#if

Re: [PATCHv3] openssl-compat: Fix getm_ defines

2019-12-20 Thread Willy Tarreau
On Fri, Dec 20, 2019 at 02:50:46PM +0100, Lukas Tribus wrote: > Should be backported to 1.9. Thank you guys, I've been following remotely, cowardly waiting for this to settle :) taking it now. Thanks! Willy

stick-tables and ip / ipv6 / (ipv4)

2019-12-20 Thread Björn Jacke
Hi, currently if you use stick-tables and you follow most of the examples and tutorials out there, you use it with "stick-table type ip ...". I guess that many people (like me in the beginning) don't realize that ip is IPv4 only and you have to use type ipv6 to have support for IPv4 *and*

Re: stick-tables and ip / ipv6 / (ipv4)

2019-12-20 Thread Aleksandar Lazic
Hi Björn. On 20.12.19 14:53, Björn Jacke wrote: Hi, currently if you use stick-tables and you follow most of the examples and tutorials out there, you use it with "stick-table type ip ...". I guess that many people (like me in the beginning) don't realize that ip is IPv4 only and you have

move fcgi from nginx to haproxy

2019-12-20 Thread Aleksandar Lazic
Hi. Luckly that haproxy 2.1 have now the feature of fcgi proto it's now time to move from nginx to haproxy for the loadbalancing part for me. There are several features from nginx conf which I would like to port to haproxy conf therefore I need some help ;-) nginx offers a quite good

Re: [PATCHv3] openssl-compat: Fix getm_ defines

2019-12-20 Thread Lukas Tribus
On Thu, 19 Dec 2019 at 21:54, Rosen Penev wrote: > > LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition > always true. Check for the define before checking it. > > Signed-off-by: Rosen Penev > --- > v3: Added BoringSSL support > v2: Switched to HA_OPENSSL_VERSION_NUMBER

Re: [PATCHv3] openssl-compat: Fix getm_ defines

2019-12-20 Thread Lukas Tribus
On Fri, 20 Dec 2019 at 16:00, Willy Tarreau wrote: > taking it now. Note that 1.9 needs to access OPENSSL_VERSION_NUMBER instead of HA_OPENSSL_VERSION_NUMBER. lukas

[PATCH] MINOR: ssl: add "ca-no-names-file" directive

2019-12-20 Thread Emmanuel Hocdet
patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet a écrit :With this proposition, ca-root-file should be rename to something like ca-end-file.Refer to https://github.com/haproxy/haproxy/issues/404 discussion.Le 19 déc. 2019 à 13:10, Emmanuel Hocdet a écrit

Re: [PATCHv3] openssl-compat: Fix getm_ defines

2019-12-20 Thread Willy Tarreau
On Fri, Dec 20, 2019 at 04:17:44PM +0100, Lukas Tribus wrote: > On Fri, 20 Dec 2019 at 16:00, Willy Tarreau wrote: > > taking it now. > > Note that 1.9 needs to access OPENSSL_VERSION_NUMBER instead of > HA_OPENSSL_VERSION_NUMBER. Argh good catch, I'll fix it then. I didn't notice any issue

Re: [RFC PATCH] BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility

2019-12-20 Thread Илья Шипицин
пт, 20 дек. 2019 г. в 22:47, Lukas Tribus : > SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled > with the no-deprecated option. Remove existing, incomplete guards and > add a compatibility macro in openssl-compat.h, just as OpenSSL does: > > >

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Lukas Tribus
Hello Ilya, sorry about the delay ... On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) || > defined(OPENSSL_NO_DEPRECATED) > [...] > -#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER

[RFC PATCH] BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility

2019-12-20 Thread Lukas Tribus
SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled with the no-deprecated option. Remove existing, incomplete guards and add a compatibility macro in openssl-compat.h, just as OpenSSL does:

RE: customize format of haproxy X-ForwardedFor ssl_c_s_dn during SSL termination

2019-12-20 Thread Chris Software
Hello, This is an update on the offchance that some diligent team member is spinning their wheels on this. Some team members of mine are modifying the haproxy ssl.c file to make the format of the ssl_c_s_dn variable configurable, and editing for simplicity to use standard openssl function

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Илья Шипицин
пт, 20 дек. 2019 г. в 22:39, Lukas Tribus : > Hello Ilya, > > > > sorry about the delay ... > > > On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: > > > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) > > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) || > defined(OPENSSL_NO_DEPRECATED) > >

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Lukas Tribus
Hello, > Guys, I must confess I'm completely lost in your discussions. I intend > to produce another round of 2.1 and 2.0 tomorrow as time permits, so if > you want me to get anything merged into it, please let me know. Lukas, > I'll count on you to summarize and suggest what's expected from me

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Willy Tarreau
Guys, I must confess I'm completely lost in your discussions. I intend to produce another round of 2.1 and 2.0 tomorrow as time permits, so if you want me to get anything merged into it, please let me know. Lukas, I'll count on you to summarize and suggest what's expected from me to do at this