Hi,
Is there any hope that this proposal will be considered before HAproxy 2.2?
++
Manu
> Le 31 janv. 2020 à 16:06, Emmanuel Hocdet a écrit :
>
>
>> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet a écrit :
>
>>
>> I will send a new patch for « issuers
Hi William
> Le 14 févr. 2020 à 15:59, William Lallemand a écrit :
>
> On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote:
>> Hi,
>>
>> Is there any hope that this proposal will be considered before HAproxy 2.2?
>>
>> ++
>> Manu
&g
Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :Can you add a little bit of explanation on how the discovery of theissuer is done in the documentation?okdocumentation updated:
0001-MINOR-ssl-add-issuers-chain-path-directive.patch
Description: Binary data
> Le 18 févr. 2020 à 14:36, William Lallemand a écrit :
>
> On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote:
>>
>>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit :
>>>
>>>> Can you add a little bit of explanation on how th
Hi,Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :I think we will probably need more information in the "show ssl cert"output in the future so the users can debug this kind of feature easily.Yes. Show the chain-filename would be very helpful.For that i think
Hi,Le 18 févr. 2020 à 17:49, Emmanuel Hocdet <m...@gandi.net> a écrit :Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/, and resolve chain and ocsp_issuerwhen needed. « show ssl ce
rebase from dev branch:(https://github.com/haproxy/haproxy/issues/404)++ManuLe 20 déc. 2019 à 17:00, Emmanuel Hocdet <m...@gandi.net> a écrit :patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to somet
Hi,
« ca-no-names-file » renamed to « ca-verify-file »
++
Manu
0001-MINOR-ssl-add-ca-verify-file-directive.patch
Description: Binary data
Hi,
Patch proposal.
I will update the documentation if this feature is approved.
++
Manu
0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch
Description: Binary data
Hi,
This issue was introduced by #516.
find_chain must not be freed.
patch attached.
> Le 21 mars 2020 à 15:23, Илья Шипицин a écrit :
>
> Hello,
>
> I attached patch that fixes memory leak, described in #559
>
++
Manu
0001-BUG-MINOR-ssl-memory-leak-when-find_chain-is-NULL.patch
Descript
As discussed in #559
0001-CLEANUP-ssl-rename-ssl_get_issuer_chain-to-ssl_get0_.patch
Description: Binary data
> Le 23 mars 2020 à 15:12, William Lallemand a écrit :
>
> On Mon, Mar 23, 2020 at 02:50:03PM +0100, Emmanuel Hocdet wrote:
>>
>> As discussed in #559
>>
>
> Can't we return directly a STACK_OF(X509)* structure instead of the
> struct issuer_chain *
Hi,This patch remove #ifdef compatibility for add cert chain to CTX, goal is to simplify code.It’s an extract from "[PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx » proposal.++Manu
0001-MINOR-ssl-rework-add-cert-chain-to-CTX-to-be-libssl-.patch
Description: Binary data
Hi,
Patch rebase from master.
> Le 6 mars 2020 à 17:06, Emmanuel Hocdet a écrit :
>
> Hi,
>
>
> Patch proposal.
> I will update the documentation if this feature is approved.
>
++
Manu
0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch
Description: Binary data
> Le 26 mars 2020 à 13:02, Илья Шипицин a écrit :
>
> RootCA is needed if you send cross certificate as well.
>
> It is very rare but legitimate case
It’s only for self issued CA, it should be safe, right?
> Le 26 mars 2020 à 14:11, Илья Шипицин a écrit :
>
>
>
> чт, 26 мар. 2020 г. в 17:27, Emmanuel Hocdet <mailto:m...@gandi.net>>:
>
> > Le 26 mars 2020 à 13:02, Илья Шипицин > <mailto:chipits...@gmail.com>> a écrit :
> >
> &g
> Le 31 mars 2020 à 18:40, William Lallemand a écrit :
>
> On Thu, Mar 26, 2020 at 06:29:48PM +0100, William Lallemand wrote:
>>
>> After some thinking and discussing with people involved in this part of
>> HAProxy. I'm not feeling very confortable with setting this behavior by
>> default, on
> Le 21 avr. 2020 à 10:58, William Lallemand a écrit :
>
> On Fri, Apr 03, 2020 at 10:34:12AM +0200, Emmanuel Hocdet wrote:
>>
>>> Le 31 mars 2020 à 18:40, William Lallemand a écrit
>>> :
>>>
>>> On Thu, Mar 26, 2020 at 06:29:48PM +0
and voila:
0001-MINOR-ssl-add-ssl-skip-self-issued-ca-global-option.patch
Description: Binary data
Hi Igor,
The patch is for 1.8dev.
0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch
Description: Binary data
> Le 3 janv. 2017 à 17:19, Igor Pav a écrit :
>
> tried compile 1.7.1 with boringssl, but seems not work, error like below:
>
> In file included from src/ssl_sock.c:87:0:
> in
This patch is a WIP and should not be full functional.
Don’t merge to haproxy Willy :)
> Le 6 janv. 2017 à 18:18, Emmanuel Hocdet a écrit :
>
> Hi Igor,
>
> The patch is for 1.8dev.
>
> <0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch>
>
>
>&g
0001-BUG-MINOR-ssl-EVP_PKEY-must-be-freed-after-X509_get_.patch
Description: Binary data
0001-BUG-MINOR-ssl-assert-on-SSL_set_shutdown-with-Boring.patch
Description: Binary data
This patch implement the ssl bind configuration per certificat.It’s for 1.8dev.for example:haproxy.cfg: bind :443 ssl strict-sni crt-list /etc/haproxy/crtlist.cfgcrtlist.cfg:mycert.pem [alpn h2,http/1.1] h2.mydom.netmycert.pem [verify required ca-file ca-admin.pem] admin.mydom.netmycert.pem
This patch implement ‘curves’ ssl parameter for bind and crt-list.It’s for 1.8dev.
0001-MINOR-ssl-add-curve-suite-for-ECDHE-negotiation.patch
Description: Binary data
Le 13 janv. 2017 à 11:01, Emmanuel Hocdet <m...@gandi.net> a écrit :This patch implement the ssl bind configurati
> Le 11 janv. 2017 à 11:56, Willy Tarreau a écrit :
>
> Merged in 1.8, thanks Manu. It looks valid even for previous versions
> by the way though not having it there doesn't seem to cause any impact.
> Thus I'll let it cook there and if someone finds a valid reason for
> backporting it we'll do
for 1.8dev
0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch
Description: Binary data
Hi Willy,
> Le 16 janv. 2017 à 11:08, Willy Tarreau a écrit :
>
> Hi Manu,
>
> From: Emmanuel Hocdet
> Date: Fri, 13 Jan 2017 17:48:18 +0100
> Subject: [PATCH] BUILD: ssl: fix to build (again) with boringssl
>
> Limitations:
> . disable force-ssl/tls (need more
Hi Willy,
I look another change. A fix (or not?) can be out of this patch.
@@ -3851,39 +3861,41 @@ int ssl_sock_handshake(struct connection *conn,
unsigned int flag)
return 0;
}
else if (ret == SSL_ERROR_SYSCALL) {
-#if (OPENSSL_VERSION_NU
for 1.8dev with build fix for boringssl
0001-MEDIUM-boringssl-support-native-multi-cert-selection.patch
Description: Binary data
for 1.8dev only
0001-MINOR-ssl-isolate-SSL_CTX_new-with-initial-negotiati.patch
Description: Binary data
for 1.8dev only
0002-MEDIUM-ssl-remove-ssl-options-from-crt-list.patch
Description: Binary data
I Igor,
I build haproxy with boringssl static library to avoid any conflict with
openssl shared lib.
It also need to be link with libdecrepit (boringssl).
> Le 30 janv. 2017 à 14:28, Igor Pav a écrit :
>
> sorry for unclear question, it's quite simple, build haproxy from git
> with boringssl (D
Hi Jarno,
I'm not able to reproduce this crash with current 1.8dev and openssl 1.0.2j.
Manu
> Le 5 févr. 2017 à 20:04, Jarno Huuskonen a écrit :
>
> Hi,
>
> Commit 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a
> (BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL) is causing
> trouble (with
_pthread.c.o): In function
> `CRYPTO_get_thread_local':
> /root/boringssl/crypto/thread_pthread.c:135: undefined reference to
> `pthread_getspecific'
> /build/slib/libcrypto.a(thread_pthread.c.o): In function
> `CRYPTO_set_thread_local':
> /root/boringssl/crypto/thre
Hi,
> Le 7 févr. 2017 à 16:47, Cedric Maion a écrit :
>
> Hi,
>
> I'm thinking about using HAProxy to terminate SSL connections for
> thousands of domains on a single frontend (using SNI).
>
I use haproxy for that with live restarts without (seen) the drawbacks you
mention.
Manu
> Certific
Hi,
> Le 10 févr. 2017 à 10:07, Jarno Huuskonen a écrit :
>
> Hi,
>
> On Wed, Feb 08, Jarno Huuskonen wrote:
>> On Tue, Feb 07, Emmanuel Hocdet wrote:
>>> I'm not able to reproduce this crash with current 1.8dev and openssl 1.0.2j.
>>
>> OK, t
> Le 13 févr. 2017 à 08:20, Willy Tarreau a écrit :
>
> On Fri, Feb 10, 2017 at 10:54:46AM +0100, Emmanuel Hocdet wrote:
>> Hi,
>>
>>> Le 10 févr. 2017 à 10:07, Jarno Huuskonen a écrit :
>>>
>>> Hi,
>>>
>>> On Wed, Feb 08,
selected with
SSL_CTX_set_tlsext_servername_callback)
Manu
> Le 16 janv. 2017 à 16:16, Emmanuel Hocdet a écrit :
>
> for 1.8dev with build fix for boringssl
>
> <0001-MEDIUM-boringssl-support-native-multi-cert-selection.patch>
>
0001-MEDIUM-boringssl-support-native-mu
Hi Roberto
> Le 17 févr. 2017 à 01:27, Roberto Guimaraes a écrit :
>
> greetings,
>
> just a heads up that we’ve seen client breakage when using haproxy with
> openssl-1.1 — dunno how far along you are concerning ossl1.1 usage, but it
> has become very clear that openssl-1.1 behaves different
New version of this patch
Simplify error code return and doc cleanup.
Manu
> Le 13 févr. 2017 à 15:24, Emmanuel Hocdet a écrit :
>
> New version of this patch.
> It’s a cleanup, it avoid internal structure usage and remove CBS_strdup need.
>
> Extended tests with mixing np
Hi Willy,
Merge it :)
Manu
> Le 22 févr. 2017 à 07:44, Willy Tarreau a écrit :
>
> On Mon, Feb 20, 2017 at 04:26:39PM +0100, Emmanuel Hocdet wrote:
>> New version of this patch
>> Simplify error code return and doc cleanup.
>
> Manu, since you're sending a
Hi Roberto,
> Le 24 févr. 2017 à 09:04, mlist a écrit :
>
> Hi,
>
> We configured haproxy for client certificates:
>
> bind :443 ssl crt ca-file verify optional
>
> Configuring in this way (at bind stage), however, haproxy always ask client
> certificate
> if present in the certificate
Hi,
> Le 22 févr. 2017 à 17:26, Emeric Brun a écrit :
>
> Hi,
>
> On 02/03/2017 10:22 PM, Robin H. Johnson wrote:
>> On Fri, Feb 03, 2017 at 02:19:29AM +0100, Nenad Merdanovic wrote:
>>> +psk-file
>>> + Enables use of PSK cipher suites with PSKs stored in the specified file.
>>> + The entri
> Début du message réexpédié :
>
> De: Emmanuel Hocdet
> Objet: Rép : Client Certificates need dedicated IP:443 bind
> Date: 27 février 2017 à 11:00:11 UTC+1
> À: mlist
>
> Hi
>
> you can do:
>
> . crtlist.cfg:
> cert1.pem
> cert2.pem [ca-file //ca
> Le 28 févr. 2017 à 11:29, mlist a écrit :
>
> I tried this config:
>
> . haproxy.conf:
> bind :443 ssl crt-list /etc/haproxy/crt-list.txt
>
> . crtlist.cfg:
> /cert1.pem [ca-file //ca1.pem ca-file //ca1.pem verify
> optional]
> /cert2.pem
> /cert3.pem
>
> but any request for any domain
> Le 28 févr. 2017 à 13:38, mlist a écrit :
>
> >>> The default cert is always the first cert parsed. It’s cert1.pem in your
> >>> configuration.
> >>> The default cert is a source of errors because it's used in the SSL
> >>> negotiation.
> >>> The [ca-file verify optional] is also present in
The fix for verify/ca-file (ssl configuration per certificate via crt-list)
0001-BUG-MEDIUM-ssl-fix-verify-ca-file-per-certificate.patch
Description: Binary data
Le 28 févr. 2017 à 18:03, Emmanuel Hocdet <m...@gandi.net> a écrit :Le 28 févr. 2017 à 13:38, mlist <ml...@apsystems.it
return (s->strict_sni ?
> SSL_TLSEXT_ERR_ALERT_FATAL :
> - SSL_TLSEXT_ERR_ALERT_WARNING);
> + SSL_TLSEXT_ERR_OK);
> }
>
> /* switch ctx */
>
> thanks,
> roberto
>
>
>> On
New version of this patch.
Little cleanup but much better comment.
0001-MINOR-ssl-removes-SSL_CTX_set_ssl_version-call-and-c.patch
Description: Binary data
> Le 20 janv. 2017 à 14:32, Emmanuel Hocdet a écrit :
>
> for 1.8dev only
>
> <0001-MINOR-ssl-isolate-SSL_CT
Patch candidat to merge in 1.8dev.I think this patch should be backported, at least in versions compat with openssl-1.1.0.
0001-BUG-MEDIUM-ssl-switchctx-should-not-return-SSL_TLSEX.patch
Description: Binary data
Le 3 mars 2017 à 10:50, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Roberto,I
Build without DH support is broken. This fix is for 1.8dev.
It significantly reduces the size and initial memory footprint of haproxy.
0001-BUILD-ssl-fix-build-with-DOPENSSL_NO_DH.patch
Description: Binary data
> Le 4 mars 2017 à 15:03, mlist a écrit :
>
For those first 3 points we don't need renegotiation.
>
Current implementation is buggy, but once we merge:
"BUG/MEDIUM: ssl: fix verify/ca-file per certificate"
>
all those issues will be addressed, without complex workarounds or
Hi Thierry
> Le 25 févr. 2017 à 13:01, thierry.fourn...@arpalert.org a écrit :
>
> Hi all,
>
> On Thu, 9 Feb 2017 07:37:51 +0100
> Willy Tarreau wrote:
>
>> Hi Olivier,
>>
>> On Sat, Feb 04, 2017 at 11:52:30AM +0100, Olivier Doucet wrote:
>>> Hello,
>>>
>>> I'm trying to capture the cipher s
This fix is for current 1.8dev with "MEDIUM: ssl: remove ssl-options from crt-list » apply.
0001-BUG-MEDIUM-ssl-in-bind-line-ssl-options-after-crt-ar.patch
Description: Binary data
> Le 6 mars 2017 à 19:05, Willy Tarreau a écrit :
>
> On Mon, Mar 06, 2017 at 04:50:02PM +0100, Emmanuel Hocdet wrote:
>> This fix is for current 1.8dev with "MEDIUM: ssl: remove ssl-options from
>> crt-list » apply.
>
> Strangely it refuses to apply to ssl
> Le 7 mars 2017 à 10:24, Emmanuel Hocdet a écrit :
>
>
>> Le 6 mars 2017 à 19:05, Willy Tarreau a écrit :
>>
>> On Mon, Mar 06, 2017 at 04:50:02PM +0100, Emmanuel Hocdet wrote:
>>> This fix is for current 1.8dev with "MEDIUM: ssl: remo
Hi Willy, Thierry
> Le 6 mars 2017 à 18:34, Willy Tarreau a écrit :
>
> On Mon, Mar 06, 2017 at 06:30:34PM +0100, thierry.fourn...@arpalert.org wrote:
>> On Mon, 6 Mar 2017 14:54:44 +0100
>> Emmanuel Hocdet wrote:
>>> xxh64 is not a fingerprint class al
> Le 7 mars 2017 à 17:32, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Tue, Mar 07, 2017 at 03:09:41PM +0100, Emmanuel Hocdet wrote:
>>>> I choosed xxh64 because it is very quick, the repartion is good and the
>>>> collision risk is low. Obviously sha1 is
> Le 7 mars 2017 à 19:49, Willy Tarreau a écrit :
>
> On Tue, Mar 07, 2017 at 07:09:30PM +0100, Emmanuel Hocdet wrote:
>> Use case is to send the fingerprint on backend and associate it with the user
>> agent or anything else to analyse the security level of the connec
> Le 8 mars 2017 à 12:15, Willy Tarreau a écrit :
>
> On Wed, Mar 08, 2017 at 12:01:39PM +0100, Emmanuel Hocdet wrote:
>> No because the block can be truncated, sample must be stored in a variable
>> size buffer
>> to fix that. Do fingerprint earlier avoid such
Hi Piotr
> Le 14 mars 2017 à 16:04, Piotr Kubaj a écrit :
>
> And it seems like the previously attached patches do compile, but the warning
> is there again so now I'm finally including patches that make Haproxy both
> compile and not throw additional warnings.
>
first patch:
-#if defined(O
Hi Pavlos
> Le 14 mars 2017 à 16:43, Pavlos Parissis a écrit :
>
> Hi,
>
> On Debian testing with openssl 1.1.0e, I get the following warnings when I
> compile 1.7 and 1.8:
> https://gist.githubusercontent.com/unixsurfer/9c42361822f23cfe36f3b2169133b551/raw/4665476fdfb2a94d287814a2c8a36215cbebb
Hi Willy,
> Le 14 mars 2017 à 17:24, Willy Tarreau a écrit :
>
> Hi Pavlos,
>
> On Tue, Mar 14, 2017 at 04:43:26PM +0100, Pavlos Parissis wrote:
>> Hi,
>>
>> On Debian testing with openssl 1.1.0e, I get the following warnings when I
>> compile 1.7 and 1.8:
>> https://gist.githubusercontent.com
> Le 14 mars 2017 à 19:11, Willy Tarreau a écrit :
>>
>> For the little story: openssl-1.1.0 and boringssl have
>> SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version
>> and other methods to set protocol version are deprecated (or not
>> implemented).
>> It will be boring to keep compa
> Le 15 mars 2017 à 12:41, Emmanuel Hocdet a écrit :
>
>
>> Le 14 mars 2017 à 19:11, Willy Tarreau mailto:w...@1wt.eu>> a
>> écrit :
>>>
>>> For the little story: openssl-1.1.0 and boringssl have
>>> SSL_CTX_set_min_proto_version/SSL_
Hi Willy,Le 15 mars 2017 à 12:41, Emmanuel Hocdet <m...@gandi.net> a écrit :Le 14 mars 2017 à 19:11, Willy Tarreau <w...@1wt.eu> a écrit :For the little story: openssl-1.1.0 and boringssl have SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_versionand other methods to set protocol
> Le 14 mars 2017 à 16:28, Emmanuel Hocdet a écrit :
>
> Hi Piotr
>
>> Le 14 mars 2017 à 16:04, Piotr Kubaj a écrit :
>>
>> And it seems like the previously attached patches do compile, but the
>> warning is there again so now I'm finally including p
Hi Piotr,Le 16 mars 2017 à 09:48, Piotr Kubaj a écrit :Thanks for the patch!Looks good to me, works fine with Haproxy and LibreSSL 2.5.1.greatWilly, can you merge this two patchs? It fix boringssl and libressl build issues.Piotr, this patchs should be minimise your patch for li
Hi Emeric,
> Le 16 mars 2017 à 14:44, Emeric Brun a écrit :
>
> I'm clearly not sure that setting openssl's options to ~no-tlsxx have the
> same behavior than forcing the callback sets (using force-) to one protocol.
>
> I always suspected that no-tlsxx options applies on a kind of 'capabiliti
Le 16 mars 2017 à 17:49, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Emeric,Le 16 mars 2017 à 14:44, Emeric Brun <eb...@haproxy.com> a écrit :I'm clearly not sure that setting openssl's options to ~no-tlsxx have the same behavior than forcing the callback sets (using for
> Le 20 mars 2017 à 07:02, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Thu, Mar 16, 2017 at 03:35:42PM +0100, Emmanuel Hocdet wrote:
>> Hi Piotr,
>>
>>> Le 16 mars 2017 à 09:48, Piotr Kubaj a écrit :
>>>
>>> Thanks for the patch!
Hi Emeric,
> Le 20 mars 2017 à 12:50, Emeric Brun a écrit :
>
> Hi Manu,
>
> On 03/20/2017 11:46 AM, Emeric Brun wrote:
>> Hi Manu,
>>
>> On 03/17/2017 06:43 PM, Emmanuel Hocdet wrote:
>>>
>>>> Le 16 mars 2017 à 17:49, Emmanuel Hocde
be implemented. It can generate build breaks until this time.
. all TLS methods are known in haproxy (set_options usage is safe)
. Haproxy must be run with the same version as the compilation. Change the
openssl version (other than for bug fix) is not supported.
> Le 20 mars 2017 à 19:07, Em
Hi Fred,
> Le 21 mars 2017 à 23:14, Willy Tarreau a écrit :
> On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:
>> Hello HAProxy ML,
>>
>> I am starting this new thread to publish a serie of patches to make
>> all "server" settings be supported on "default-server" lines.
>>
>>
> Le 22 mars 2017 à 16:30, Emmanuel Hocdet a écrit :
> […]
> 0005 force-tlsxx implementation compatibility (Emeric first point)
>
> For the second point
>> But we will face issue using 'force-' when openssl will support further tls
>> versions not yet
> Le 22 mars 2017 à 22:58, Willy Tarreau a écrit :
>
> On Wed, Mar 22, 2017 at 05:30:09PM +0100, Emmanuel Hocdet wrote:
>> I have patches sent in the ML who change the internal implementation of
>> no/force-tlsxx and add min/max-tlsxx (who can replace no/force usage).
>
> Le 23 mars 2017 à 12:25, Willy Tarreau a écrit :
>
> On Thu, Mar 23, 2017 at 11:26:50AM +0100, Emmanuel Hocdet wrote:
>> Emeric's suggestion is not on the ML.
>
> I transcripted it in the other e-mail of this same thread.
>
>> If no- and force- are
Hi Emeric,
patches serie updated. The new one is 0004.
It should match what you are requesting and what I observed in the openssl code.
++
Manu
0001-MEDIUM-ssl-rework-of-ssl_methods-calculation-to-matc.patch
Description: Binary data
0002-MEDIUM-ssl-add-TLSv1.3-directives-and-min-method-max
Hi Emeric,
> Le 27 mars 2017 à 14:06, Emeric Brun a écrit :
>>
>
> Hi Manu,
>
> those patches are very annoying to review because incremental. Perhaps it
> would be better to split them differently (by feature).
>
I don't see how because of rework and factorization. Perhaps split the 0002
Manu
> Le 26 mars 2017 à 17:54, Igor Pav a écrit :
>
> Hi, Emmanuel. Any plan to add tls 1.3 zero rtt support for both server
> and client side?
>
> On Sat, Mar 25, 2017 at 2:13 AM, Emmanuel Hocdet wrote:
>>
>> Hi Emeric,
>> patches serie updated. The new
Hi Frederic
> Le 27 mars 2017 à 14:45, Willy Tarreau a écrit :
>
> On Fri, Mar 24, 2017 at 12:20:45PM +0100, Willy Tarreau wrote:
>> On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:
>>> Hello HAProxy ML,
>>>
>>> I am starting this new thread to publish a serie of patches to ma
> Le 27 mars 2017 à 17:42, Igor Pav a écrit :
>
>> 1-RTT should be ok on server with boringssl, alpn http/1.1 and AEAD
>> ciphers.
>> For client i think it lack an option to activate FalseStart.
>
> Could we fix this with a future option?
>
You can add SSL_MODE_ENABLE_FALSE_START (for mode
This patch can be helpful to build easier with boringssl.
Manu
0001-BUILD-ssl-add-Makefile-parameter-to-help-build-with-.patch
Description: Binary data
Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with'.ocsp' extension. CLI update is not supported.
0001-MINOR-boringssl-basic-support-for-OCSP-Stapling.patch
Description: Binary data
Hi Willy,
> Le 27 mars 2017 à 17:54, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote:
>>> I'm not much comfortable with the "sslv3" and so on as they easily read
>>> as "use sslv3 on
Hi Willy,
> Le 29 mars 2017 à 18:29, Willy Tarreau a écrit :
>
> Hi Manu,
>
> On Wed, Mar 29, 2017 at 06:10:13PM +0200, Emmanuel Hocdet wrote:
>> Hi Willy,
>>
>>> Le 27 mars 2017 à 17:54, Willy Tarreau a écrit :
>>>
>>> Hi Manu,
>&
Hi Emeric, Willy
Rework of patches serie to match default-server requirement and talk with Willy.
It should be easier to follow.
> Le 27 mars 2017 à 16:15, Emeric Brun a écrit :
>
> Hi Manu,
>
>>
>> What kind of api and dependency? To generate haproxy configuration?
>> Generate min-tlsv10 o
The right patch series ...
> Le 30 mars 2017 à 19:00, Emmanuel Hocdet a écrit :
>
> Hi Emeric, Willy
>
> Rework of patches serie to match default-server requirement and talk with
> Willy.
> It should be easier to follow.
>
>
>> Le 27 mars 2017 à 16:15, Emer
Le 31 mars 2017 à 11:02, Emeric Brun <eb...@haproxy.com> a écrit :Hi Emmanuel,On 03/30/2017 07:44 PM, Emmanuel Hocdet wrote:The right patch series ...Le 30 mars 2017 à 19:00, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Emeric, WillyRework of patches serie to match default-server req
Hi Emeric, Willy
Up the thread with a compatible configuration view.
1) force-xx force-tlsv12 no-tlsv12
old: do a force-tlsv12 (no-xx ignored without warning)
new: warning "all SSL/TLS versions are disabled »
It’s not a good configuration, but… It can be changed with:
. no-xx ignored when for
> Le 28 avr. 2017 à 16:51, Emeric Brun a écrit :
>
> Hi Manu,
>
>>>
>>
>> yes, i delayed this change (lack of time).
>> last patch with 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3,
>> TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3
>>
>> Manu
>>
>>
>
> Could you please rebase your patch se
Hi Lukas,
The response is in our link:
[2] https://github.com/openssl/openssl/issues/541
No need to disable this option per default and option is needed for security.
The equal-preference groups work with server preference. I tested it with
BoringSSL.
Manu
> Le 28 avr. 2017 à 20:05, Lukas Trib
or
> Le 2 mai 2017 à 17:14, Lukas Tribus a écrit :
>
> Hello,
>
>
>> Hi Lukas,
>>
>> The response is in our link:
>> [2] https://github.com/openssl/openssl/issues/541
>>
>> No need to disable this option per default and option is needed for security.
>
> The point is: when the admin is awar
Hi Emeric,
> Le 28 avr. 2017 à 17:57, Emmanuel Hocdet a écrit :
>
> Hi Emeric, Willy
>
> Up the thread with a compatible configuration view.
>
> 1) force-xx force-tlsv12 no-tlsv12
> old: do a force-tlsv12 (no-xx ignored without warning)
> new: warning "a
> Le 5 mai 2017 à 17:21, Emmanuel Hocdet a écrit :
>
> Hi Emeric,
>
>> Le 28 avr. 2017 à 17:57, Emmanuel Hocdet a écrit :
>>
>> Hi Emeric, Willy
>>
>> Up the thread with a compatible configuration view.
>>
>> 1) force-xx force-tlsv
Hi,
This patch depend of " [Patches] TLS methods configuration reworked ».
Actually it will only work with BoringSSL because haproxy use a special
ssl_sock_switchctx_cbk
with a BoringSSL callback to select certificat before any handshake negotiation.
This feature (and others depend of this ssl_s
Hi Willy,
This patch only applies to boringssl. Could you merge them?
++
Emmanuel
> Le 29 mars 2017 à 16:46, Emmanuel Hocdet a écrit :
>
>
> Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with
> '.ocsp' extension. CLI update is not su
Hi,
Same patch, split in 3 parts for better understanding.
> Le 12 mai 2017 à 15:05, Emmanuel Hocdet a écrit :
>
> Hi,
>
> This patch depend of " [Patches] TLS methods configuration reworked ».
>
> Actually it will only work with BoringSSL bec
Hi Cyril,
> Le 18 mai 2017 à 23:02, Cyril Bonté a écrit :
>
> Hi all,
>
> Le 12/05/2017 à 15:13, Willy Tarreau a écrit :
>> Hi guys,
>>
>> On Tue, May 09, 2017 at 11:21:36AM +0200, Emeric Brun wrote:
>>> It seems to do what we want, so we can merge it.
>>
>> So the good news is that this patc
1 - 100 of 302 matches
Mail list logo