Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

Hi, Is there any hope that this proposal will be considered before HAproxy 2.2? ++ Manu > Le 31 janv. 2020 à 16:06, Emmanuel Hocdet a écrit : > > >> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet a écrit : > >> >> I will send a new patch for « issuers

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

Hi William > Le 14 févr. 2020 à 15:59, William Lallemand a écrit : > > On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote: >> Hi, >> >> Is there any hope that this proposal will be considered before HAproxy 2.2? >> >> ++ >> Manu &g

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :Can you add a little bit of explanation on how the discovery of theissuer is done in the documentation?okdocumentation updated: 0001-MINOR-ssl-add-issuers-chain-path-directive.patch Description: Binary data

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

> Le 18 févr. 2020 à 14:36, William Lallemand a écrit : > > On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote: >> >>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit : >>> >>>> Can you add a little bit of explanation on how th

[PATCH 4/4] MINOR: ssl: "show ssl cert" command should print the "Chain filename:"

Hi,Le 18 févr. 2020 à 11:45, Emmanuel Hocdet <m...@gandi.net> a écrit :I think we will probably need more information in the "show ssl cert"output in the future so the users can debug this kind of feature easily.Yes. Show the chain-filename would be very helpful.For that i think

Re: [PATCH 4/4] MINOR: ssl: "show ssl cert" command should print the "Chain filename:"

Hi,Le 18 févr. 2020 à 17:49, Emmanuel Hocdet <m...@gandi.net> a écrit :Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/, and resolve chain and ocsp_issuerwhen needed. « show ssl ce

[PATCH] MINOR: ssl: add "ca-no-names-file" directive

rebase from dev branch:(https://github.com/haproxy/haproxy/issues/404)++ManuLe 20 déc. 2019 à 17:00, Emmanuel Hocdet <m...@gandi.net> a écrit :patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet <m...@gandi.net> a écrit :With this proposition, ca-root-file should be rename to somet

[PATCH] MINOR: ssl: add "ca-verify-file" directive

Hi, « ca-no-names-file » renamed to « ca-verify-file » ++ Manu 0001-MINOR-ssl-add-ca-verify-file-directive.patch Description: Binary data

[PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

Hi, Patch proposal. I will update the documentation if this feature is approved. ++ Manu 0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch Description: Binary data

Re: [PATCH] fix memory leak, issue 559

Hi, This issue was introduced by #516. find_chain must not be freed. patch attached. > Le 21 mars 2020 à 15:23, Илья Шипицин a écrit : > > Hello, > > I attached patch that fixes memory leak, described in #559 > ++ Manu 0001-BUG-MINOR-ssl-memory-leak-when-find_chain-is-NULL.patch Descript

[PATCH] CLEANUP: ssl: rename ssl_get_issuer_chain to ssl_get0_issuer_chain

As discussed in #559 0001-CLEANUP-ssl-rename-ssl_get_issuer_chain-to-ssl_get0_.patch Description: Binary data

Re: [PATCH] CLEANUP: ssl: rename ssl_get_issuer_chain to ssl_get0_issuer_chain

> Le 23 mars 2020 à 15:12, William Lallemand a écrit : > > On Mon, Mar 23, 2020 at 02:50:03PM +0100, Emmanuel Hocdet wrote: >> >> As discussed in #559 >> > > Can't we return directly a STACK_OF(X509)* structure instead of the > struct issuer_chain *

[PATCH] MINOR: ssl: rework add cert chain to CTX to be libssl independent

Hi,This patch remove #ifdef compatibility for add cert chain to CTX, goal is to simplify code.It’s an extract from "[PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx » proposal.++Manu 0001-MINOR-ssl-rework-add-cert-chain-to-CTX-to-be-libssl-.patch Description: Binary data

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

Hi, Patch rebase from master. > Le 6 mars 2020 à 17:06, Emmanuel Hocdet a écrit : > > Hi, > > > Patch proposal. > I will update the documentation if this feature is approved. > ++ Manu 0001-MINOR-ssl-skip-self-issued-CA-in-cert-chain-for-ssl_.patch Description: Binary data

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 26 mars 2020 à 13:02, Илья Шипицин a écrit : > > RootCA is needed if you send cross certificate as well. > > It is very rare but legitimate case It’s only for self issued CA, it should be safe, right?

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 26 mars 2020 à 14:11, Илья Шипицин a écrit : > > > > чт, 26 мар. 2020 г. в 17:27, Emmanuel Hocdet <mailto:m...@gandi.net>>: > > > Le 26 mars 2020 à 13:02, Илья Шипицин > <mailto:chipits...@gmail.com>> a écrit : > > > &g

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 31 mars 2020 à 18:40, William Lallemand a écrit : > > On Thu, Mar 26, 2020 at 06:29:48PM +0100, William Lallemand wrote: >> >> After some thinking and discussing with people involved in this part of >> HAProxy. I'm not feeling very confortable with setting this behavior by >> default, on

Re: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

> Le 21 avr. 2020 à 10:58, William Lallemand a écrit : > > On Fri, Apr 03, 2020 at 10:34:12AM +0200, Emmanuel Hocdet wrote: >> >>> Le 31 mars 2020 à 18:40, William Lallemand a écrit >>> : >>> >>> On Thu, Mar 26, 2020 at 06:29:48PM +0

[PATCH] MINOR: ssl: add ssl-skip-self-issued-ca global option

and voila: 0001-MINOR-ssl-add-ssl-skip-self-issued-ca-global-option.patch Description: Binary data

PATCH] BUILD: ssl: fix to build (again) with boringssl

Hi Igor, The patch is for 1.8dev. 0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch Description: Binary data > Le 3 janv. 2017 à 17:19, Igor Pav a écrit : > > tried compile 1.7.1 with boringssl, but seems not work, error like below: > > In file included from src/ssl_sock.c:87:0: > in

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

This patch is a WIP and should not be full functional. Don’t merge to haproxy Willy :) > Le 6 janv. 2017 à 18:18, Emmanuel Hocdet a écrit : > > Hi Igor, > > The patch is for 1.8dev. > > <0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch> > > >&g

[PATCH] BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey

0001-BUG-MINOR-ssl-EVP_PKEY-must-be-freed-after-X509_get_.patch Description: Binary data

[PATCH] BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

0001-BUG-MINOR-ssl-assert-on-SSL_set_shutdown-with-Boring.patch Description: Binary data

Re: [DEV] ssl bind_conf per certificat

This patch implement the ssl bind configuration per certificat.It’s for 1.8dev.for example:haproxy.cfg:    bind :443 ssl strict-sni crt-list /etc/haproxy/crtlist.cfgcrtlist.cfg:mycert.pem  [alpn h2,http/1.1]  h2.mydom.netmycert.pem  [verify required ca-file ca-admin.pem]   admin.mydom.netmycert.pem

Re: [DEV] ssl bind_conf per certificat

This patch implement ‘curves’ ssl parameter for bind and crt-list.It’s for 1.8dev. 0001-MINOR-ssl-add-curve-suite-for-ECDHE-negotiation.patch Description: Binary data Le 13 janv. 2017 à 11:01, Emmanuel Hocdet <m...@gandi.net> a écrit :This patch implement the ssl bind configurati

Re: [PATCH] BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

> Le 11 janv. 2017 à 11:56, Willy Tarreau a écrit : > > Merged in 1.8, thanks Manu. It looks valid even for previous versions > by the way though not having it there doesn't seem to cause any impact. > Thus I'll let it cook there and if someone finds a valid reason for > backporting it we'll do

[PATCH] BUILD: ssl: fix to build (again) with boringssl

for 1.8dev 0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch Description: Binary data

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

Hi Willy, > Le 16 janv. 2017 à 11:08, Willy Tarreau a écrit : > > Hi Manu, > > From: Emmanuel Hocdet > Date: Fri, 13 Jan 2017 17:48:18 +0100 > Subject: [PATCH] BUILD: ssl: fix to build (again) with boringssl > > Limitations: > . disable force-ssl/tls (need more

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

Hi Willy, I look another change. A fix (or not?) can be out of this patch. @@ -3851,39 +3861,41 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) return 0; } else if (ret == SSL_ERROR_SYSCALL) { -#if (OPENSSL_VERSION_NU

[PATCH] MEDIUM: boringssl: support native multi-cert selection without bundling

for 1.8dev with build fix for boringssl 0001-MEDIUM-boringssl-support-native-multi-cert-selection.patch Description: Binary data

[PATCH 1/2] MINOR: ssl: isolate SSL_CTX_new with initial negotiation environnement

for 1.8dev only 0001-MINOR-ssl-isolate-SSL_CTX_new-with-initial-negotiati.patch Description: Binary data

[PATCH 2/2] MEDIUM: ssl: remove ssl-options from crt-list

for 1.8dev only 0002-MEDIUM-ssl-remove-ssl-options-from-crt-list.patch Description: Binary data

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

I Igor, I build haproxy with boringssl static library to avoid any conflict with openssl shared lib. It also need to be link with libdecrepit (boringssl). > Le 30 janv. 2017 à 14:28, Igor Pav a écrit : > > sorry for unclear question, it's quite simple, build haproxy from git > with boringssl (D

Re: 1.8dev 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a regression ?

Hi Jarno, I'm not able to reproduce this crash with current 1.8dev and openssl 1.0.2j. Manu > Le 5 févr. 2017 à 20:04, Jarno Huuskonen a écrit : > > Hi, > > Commit 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a > (BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL) is causing > trouble (with

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

_pthread.c.o): In function > `CRYPTO_get_thread_local': > /root/boringssl/crypto/thread_pthread.c:135: undefined reference to > `pthread_getspecific' > /build/slib/libcrypto.a(thread_pthread.c.o): In function > `CRYPTO_set_thread_local': > /root/boringssl/crypto/thre

Re: Dynamically manage server SSL certificates?

Hi, > Le 7 févr. 2017 à 16:47, Cedric Maion a écrit : > > Hi, > > I'm thinking about using HAProxy to terminate SSL connections for > thousands of domains on a single frontend (using SNI). > I use haproxy for that with live restarts without (seen) the drawbacks you mention. Manu > Certific

Re: 1.8dev 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a regression ?

Hi, > Le 10 févr. 2017 à 10:07, Jarno Huuskonen a écrit : > > Hi, > > On Wed, Feb 08, Jarno Huuskonen wrote: >> On Tue, Feb 07, Emmanuel Hocdet wrote: >>> I'm not able to reproduce this crash with current 1.8dev and openssl 1.0.2j. >> >> OK, t

Re: 1.8dev 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a regression ?

> Le 13 févr. 2017 à 08:20, Willy Tarreau a écrit : > > On Fri, Feb 10, 2017 at 10:54:46AM +0100, Emmanuel Hocdet wrote: >> Hi, >> >>> Le 10 févr. 2017 à 10:07, Jarno Huuskonen a écrit : >>> >>> Hi, >>> >>> On Wed, Feb 08,

Re: [PATCH] MEDIUM: boringssl: support native multi-cert selection without bundling

selected with SSL_CTX_set_tlsext_servername_callback) Manu > Le 16 janv. 2017 à 16:16, Emmanuel Hocdet a écrit : > > for 1.8dev with build fix for boringssl > > <0001-MEDIUM-boringssl-support-native-multi-cert-selection.patch> > 0001-MEDIUM-boringssl-support-native-mu

Re: openssl-1.1 SNI callback causing client failures

Hi Roberto > Le 17 févr. 2017 à 01:27, Roberto Guimaraes a écrit : > > greetings, > > just a heads up that we’ve seen client breakage when using haproxy with > openssl-1.1 — dunno how far along you are concerning ossl1.1 usage, but it > has become very clear that openssl-1.1 behaves different

Re: [PATCH] MEDIUM: boringssl: support native multi-cert selection without bundling

New version of this patch Simplify error code return and doc cleanup. Manu > Le 13 févr. 2017 à 15:24, Emmanuel Hocdet a écrit : > > New version of this patch. > It’s a cleanup, it avoid internal structure usage and remove CBS_strdup need. > > Extended tests with mixing np

Re: [PATCH] MEDIUM: boringssl: support native multi-cert selection without bundling

Hi Willy, Merge it :) Manu > Le 22 févr. 2017 à 07:44, Willy Tarreau a écrit : > > On Mon, Feb 20, 2017 at 04:26:39PM +0100, Emmanuel Hocdet wrote: >> New version of this patch >> Simplify error code return and doc cleanup. > > Manu, since you're sending a

Re: Client Certificates need dedicated IP:443 bind

Hi Roberto, > Le 24 févr. 2017 à 09:04, mlist a écrit : > > Hi, > > We configured haproxy for client certificates: > > bind :443 ssl crt ca-file verify optional > > Configuring in this way (at bind stage), however, haproxy always ask client > certificate > if present in the certificate

Re: [PATCH] MEDIUM: ssl: Add TLS-PSK client and server side support

Hi, > Le 22 févr. 2017 à 17:26, Emeric Brun a écrit : > > Hi, > > On 02/03/2017 10:22 PM, Robin H. Johnson wrote: >> On Fri, Feb 03, 2017 at 02:19:29AM +0100, Nenad Merdanovic wrote: >>> +psk-file >>> + Enables use of PSK cipher suites with PSKs stored in the specified file. >>> + The entri

Fwd: Client Certificates need dedicated IP:443 bind

> Début du message réexpédié : > > De: Emmanuel Hocdet > Objet: Rép : Client Certificates need dedicated IP:443 bind > Date: 27 février 2017 à 11:00:11 UTC+1 > À: mlist > > Hi > > you can do: > > . crtlist.cfg: > cert1.pem > cert2.pem [ca-file //ca

Re: Client Certificates need dedicated IP:443 bind

> Le 28 févr. 2017 à 11:29, mlist a écrit : > > I tried this config: > > . haproxy.conf: > bind :443 ssl crt-list /etc/haproxy/crt-list.txt > > . crtlist.cfg: > /cert1.pem [ca-file //ca1.pem ca-file //ca1.pem verify > optional] > /cert2.pem > /cert3.pem > > but any request for any domain

Re: Client Certificates need dedicated IP:443 bind

> Le 28 févr. 2017 à 13:38, mlist a écrit : > > >>> The default cert is always the first cert parsed. It’s cert1.pem in your > >>> configuration. > >>> The default cert is a source of errors because it's used in the SSL > >>> negotiation. > >>> The [ca-file verify optional] is also present in

BUG/MEDIUM: ssl: fix verify/ca-file per certificate

The fix for verify/ca-file (ssl configuration per certificate via crt-list) 0001-BUG-MEDIUM-ssl-fix-verify-ca-file-per-certificate.patch Description: Binary data Le 28 févr. 2017 à 18:03, Emmanuel Hocdet <m...@gandi.net> a écrit :Le 28 févr. 2017 à 13:38, mlist <ml...@apsystems.it

Re: openssl-1.1 SNI callback causing client failures

return (s->strict_sni ? > SSL_TLSEXT_ERR_ALERT_FATAL : > - SSL_TLSEXT_ERR_ALERT_WARNING); > + SSL_TLSEXT_ERR_OK); > } > > /* switch ctx */ > > thanks, > roberto > > >> On

Re: [PATCH 1/2] MINOR: ssl: isolate SSL_CTX_new with initial negotiation environnement

New version of this patch. Little cleanup but much better comment. 0001-MINOR-ssl-removes-SSL_CTX_set_ssl_version-call-and-c.patch Description: Binary data > Le 20 janv. 2017 à 14:32, Emmanuel Hocdet a écrit : > > for 1.8dev only > > <0001-MINOR-ssl-isolate-SSL_CT

Re: openssl-1.1 SNI callback causing client failures

Patch candidat to merge in 1.8dev.I think this patch should be backported, at least in versions compat with openssl-1.1.0. 0001-BUG-MEDIUM-ssl-switchctx-should-not-return-SSL_TLSEX.patch Description: Binary data Le 3 mars 2017 à 10:50, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Roberto,I

[PATCH] BUILD: ssl: fix build with -DOPENSSL_NO_DH

Build without DH support is broken. This fix is for 1.8dev. It significantly reduces the size and initial memory footprint of haproxy. 0001-BUILD-ssl-fix-build-with-DOPENSSL_NO_DH.patch Description: Binary data

Re: Client Cert Improvements

> Le 4 mars 2017 à 15:03, mlist a écrit : > For those first 3 points we don't need renegotiation. > Current implementation is buggy, but once we merge: "BUG/MEDIUM: ssl: fix verify/ca-file per certificate" > all those issues will be addressed, without complex workarounds or

Re: Capturing browser TLS cipher suites

Hi Thierry > Le 25 févr. 2017 à 13:01, thierry.fourn...@arpalert.org a écrit : > > Hi all, > > On Thu, 9 Feb 2017 07:37:51 +0100 > Willy Tarreau wrote: > >> Hi Olivier, >> >> On Sat, Feb 04, 2017 at 11:52:30AM +0100, Olivier Doucet wrote: >>> Hello, >>> >>> I'm trying to capture the cipher s

[PATCH] BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored.

This fix is for current 1.8dev with "MEDIUM: ssl: remove ssl-options from crt-list » apply. 0001-BUG-MEDIUM-ssl-in-bind-line-ssl-options-after-crt-ar.patch Description: Binary data

Re: [PATCH] BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored.

> Le 6 mars 2017 à 19:05, Willy Tarreau a écrit : > > On Mon, Mar 06, 2017 at 04:50:02PM +0100, Emmanuel Hocdet wrote: >> This fix is for current 1.8dev with "MEDIUM: ssl: remove ssl-options from >> crt-list » apply. > > Strangely it refuses to apply to ssl

Re: [PATCH] BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored.

> Le 7 mars 2017 à 10:24, Emmanuel Hocdet a écrit : > > >> Le 6 mars 2017 à 19:05, Willy Tarreau a écrit : >> >> On Mon, Mar 06, 2017 at 04:50:02PM +0100, Emmanuel Hocdet wrote: >>> This fix is for current 1.8dev with "MEDIUM: ssl: remo

Re: Capturing browser TLS cipher suites

Hi Willy, Thierry > Le 6 mars 2017 à 18:34, Willy Tarreau a écrit : > > On Mon, Mar 06, 2017 at 06:30:34PM +0100, thierry.fourn...@arpalert.org wrote: >> On Mon, 6 Mar 2017 14:54:44 +0100 >> Emmanuel Hocdet wrote: >>> xxh64 is not a fingerprint class al

Re: Capturing browser TLS cipher suites

> Le 7 mars 2017 à 17:32, Willy Tarreau a écrit : > > Hi Manu, > > On Tue, Mar 07, 2017 at 03:09:41PM +0100, Emmanuel Hocdet wrote: >>>> I choosed xxh64 because it is very quick, the repartion is good and the >>>> collision risk is low. Obviously sha1 is

Re: Capturing browser TLS cipher suites

> Le 7 mars 2017 à 19:49, Willy Tarreau a écrit : > > On Tue, Mar 07, 2017 at 07:09:30PM +0100, Emmanuel Hocdet wrote: >> Use case is to send the fingerprint on backend and associate it with the user >> agent or anything else to analyse the security level of the connec

Re: Capturing browser TLS cipher suites

> Le 8 mars 2017 à 12:15, Willy Tarreau a écrit : > > On Wed, Mar 08, 2017 at 12:01:39PM +0100, Emmanuel Hocdet wrote: >> No because the block can be truncated, sample must be stored in a variable >> size buffer >> to fix that. Do fingerprint earlier avoid such

Re: [PATCHES] Add support for LibreSSL 2.5.1

Hi Piotr > Le 14 mars 2017 à 16:04, Piotr Kubaj a écrit : > > And it seems like the previously attached patches do compile, but the warning > is there again so now I'm finally including patches that make Haproxy both > compile and not throw additional warnings. > first patch: -#if defined(O

Re: Some compilation SSL errors/warnings on debian testing

Hi Pavlos > Le 14 mars 2017 à 16:43, Pavlos Parissis a écrit : > > Hi, > > On Debian testing with openssl 1.1.0e, I get the following warnings when I > compile 1.7 and 1.8: > https://gist.githubusercontent.com/unixsurfer/9c42361822f23cfe36f3b2169133b551/raw/4665476fdfb2a94d287814a2c8a36215cbebb

Re: Some compilation SSL errors/warnings on debian testing

Hi Willy, > Le 14 mars 2017 à 17:24, Willy Tarreau a écrit : > > Hi Pavlos, > > On Tue, Mar 14, 2017 at 04:43:26PM +0100, Pavlos Parissis wrote: >> Hi, >> >> On Debian testing with openssl 1.1.0e, I get the following warnings when I >> compile 1.7 and 1.8: >> https://gist.githubusercontent.com

Re: Some compilation SSL errors/warnings on debian testing

> Le 14 mars 2017 à 19:11, Willy Tarreau a écrit : >> >> For the little story: openssl-1.1.0 and boringssl have >> SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version >> and other methods to set protocol version are deprecated (or not >> implemented). >> It will be boring to keep compa

Re: Some compilation SSL errors/warnings on debian testing

> Le 15 mars 2017 à 12:41, Emmanuel Hocdet a écrit : > > >> Le 14 mars 2017 à 19:11, Willy Tarreau mailto:w...@1wt.eu>> a >> écrit : >>> >>> For the little story: openssl-1.1.0 and boringssl have >>> SSL_CTX_set_min_proto_version/SSL_

Re: Some compilation SSL errors/warnings on debian testing

Hi Willy,Le 15 mars 2017 à 12:41, Emmanuel Hocdet <m...@gandi.net> a écrit :Le 14 mars 2017 à 19:11, Willy Tarreau <w...@1wt.eu> a écrit :For the little story: openssl-1.1.0 and boringssl have SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_versionand other methods to set protocol

Re: [PATCHES] Add support for LibreSSL 2.5.1

> Le 14 mars 2017 à 16:28, Emmanuel Hocdet a écrit : > > Hi Piotr > >> Le 14 mars 2017 à 16:04, Piotr Kubaj a écrit : >> >> And it seems like the previously attached patches do compile, but the >> warning is there again so now I'm finally including p

Re: [PATCHES] Add support for LibreSSL 2.5.1

Hi Piotr,Le 16 mars 2017 à 09:48, Piotr Kubaj a écrit :Thanks for the patch!Looks good to me, works fine with Haproxy and LibreSSL 2.5.1.greatWilly, can you merge this two patchs? It fix boringssl and libressl build issues.Piotr, this patchs should be minimise your patch for li

Re: Some compilation SSL errors/warnings on debian testing

Hi Emeric, > Le 16 mars 2017 à 14:44, Emeric Brun a écrit : > > I'm clearly not sure that setting openssl's options to ~no-tlsxx have the > same behavior than forcing the callback sets (using force-) to one protocol. > > I always suspected that no-tlsxx options applies on a kind of 'capabiliti

Re: Some compilation SSL errors/warnings on debian testing

Le 16 mars 2017 à 17:49, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Emeric,Le 16 mars 2017 à 14:44, Emeric Brun <eb...@haproxy.com> a écrit :I'm clearly not sure that setting openssl's options to ~no-tlsxx have the same behavior than forcing the callback sets (using for

Re: [PATCHES] Add support for LibreSSL 2.5.1

> Le 20 mars 2017 à 07:02, Willy Tarreau a écrit : > > Hi Manu, > > On Thu, Mar 16, 2017 at 03:35:42PM +0100, Emmanuel Hocdet wrote: >> Hi Piotr, >> >>> Le 16 mars 2017 à 09:48, Piotr Kubaj a écrit : >>> >>> Thanks for the patch!

Re: Some compilation SSL errors/warnings on debian testing

Hi Emeric, > Le 20 mars 2017 à 12:50, Emeric Brun a écrit : > > Hi Manu, > > On 03/20/2017 11:46 AM, Emeric Brun wrote: >> Hi Manu, >> >> On 03/17/2017 06:43 PM, Emmanuel Hocdet wrote: >>> >>>> Le 16 mars 2017 à 17:49, Emmanuel Hocde

[Patches] TLS methods configuration reworked

be implemented. It can generate build breaks until this time. . all TLS methods are known in haproxy (set_options usage is safe) . Haproxy must be run with the same version as the compilation. Change the openssl version (other than for bug fix) is not supported. > Le 20 mars 2017 à 19:07, Em

Re: All "server" settings supported on "default-server" lines

Hi Fred, > Le 21 mars 2017 à 23:14, Willy Tarreau a écrit : > On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote: >> Hello HAProxy ML, >> >> I am starting this new thread to publish a serie of patches to make >> all "server" settings be supported on "default-server" lines. >> >>

Re: [Patches] TLS methods configuration reworked

> Le 22 mars 2017 à 16:30, Emmanuel Hocdet a écrit : > […] > 0005 force-tlsxx implementation compatibility (Emeric first point) > > For the second point >> But we will face issue using 'force-' when openssl will support further tls >> versions not yet

Re: All "server" settings supported on "default-server" lines

> Le 22 mars 2017 à 22:58, Willy Tarreau a écrit : > > On Wed, Mar 22, 2017 at 05:30:09PM +0100, Emmanuel Hocdet wrote: >> I have patches sent in the ML who change the internal implementation of >> no/force-tlsxx and add min/max-tlsxx (who can replace no/force usage). >

Re: All "server" settings supported on "default-server" lines

> Le 23 mars 2017 à 12:25, Willy Tarreau a écrit : > > On Thu, Mar 23, 2017 at 11:26:50AM +0100, Emmanuel Hocdet wrote: >> Emeric's suggestion is not on the ML. > > I transcripted it in the other e-mail of this same thread. > >> If no- and force- are

Re: [Patches] TLS methods configuration reworked

Hi Emeric, patches serie updated. The new one is 0004. It should match what you are requesting and what I observed in the openssl code. ++ Manu 0001-MEDIUM-ssl-rework-of-ssl_methods-calculation-to-matc.patch Description: Binary data 0002-MEDIUM-ssl-add-TLSv1.3-directives-and-min-method-max

Re: [Patches] TLS methods configuration reworked

Hi Emeric, > Le 27 mars 2017 à 14:06, Emeric Brun a écrit : >> > > Hi Manu, > > those patches are very annoying to review because incremental. Perhaps it > would be better to split them differently (by feature). > I don't see how because of rework and factorization. Perhaps split the 0002

Re: [Patches] TLS methods configuration reworked

Manu > Le 26 mars 2017 à 17:54, Igor Pav a écrit : > > Hi, Emmanuel. Any plan to add tls 1.3 zero rtt support for both server > and client side? > > On Sat, Mar 25, 2017 at 2:13 AM, Emmanuel Hocdet wrote: >> >> Hi Emeric, >> patches serie updated. The new

Re: All "server" settings supported on "default-server" lines

Hi Frederic > Le 27 mars 2017 à 14:45, Willy Tarreau a écrit : > > On Fri, Mar 24, 2017 at 12:20:45PM +0100, Willy Tarreau wrote: >> On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote: >>> Hello HAProxy ML, >>> >>> I am starting this new thread to publish a serie of patches to ma

Re: [Patches] TLS methods configuration reworked

> Le 27 mars 2017 à 17:42, Igor Pav a écrit : > >> 1-RTT should be ok on server with boringssl, alpn http/1.1 and AEAD >> ciphers. >> For client i think it lack an option to activate FalseStart. > > Could we fix this with a future option? > You can add SSL_MODE_ENABLE_FALSE_START (for mode

[PATCH] BUILD: ssl: add Makefile parameter to help build with boringssl

This patch can be helpful to build easier with boringssl. Manu 0001-BUILD-ssl-add-Makefile-parameter-to-help-build-with-.patch Description: Binary data

[PATCH] MINOR: boringssl: basic support for OCSP Stapling

Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with'.ocsp' extension. CLI update is not supported. 0001-MINOR-boringssl-basic-support-for-OCSP-Stapling.patch Description: Binary data

Re: All "server" settings supported on "default-server" lines

Hi Willy, > Le 27 mars 2017 à 17:54, Willy Tarreau a écrit : > > Hi Manu, > > On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote: >>> I'm not much comfortable with the "sslv3" and so on as they easily read >>> as "use sslv3 on

Re: All "server" settings supported on "default-server" lines

Hi Willy, > Le 29 mars 2017 à 18:29, Willy Tarreau a écrit : > > Hi Manu, > > On Wed, Mar 29, 2017 at 06:10:13PM +0200, Emmanuel Hocdet wrote: >> Hi Willy, >> >>> Le 27 mars 2017 à 17:54, Willy Tarreau a écrit : >>> >>> Hi Manu, >&

Re: [Patches] TLS methods configuration reworked

Hi Emeric, Willy Rework of patches serie to match default-server requirement and talk with Willy. It should be easier to follow. > Le 27 mars 2017 à 16:15, Emeric Brun a écrit : > > Hi Manu, > >> >> What kind of api and dependency? To generate haproxy configuration? >> Generate min-tlsv10 o

Re: [Patches] TLS methods configuration reworked

The right patch series ... > Le 30 mars 2017 à 19:00, Emmanuel Hocdet a écrit : > > Hi Emeric, Willy > > Rework of patches serie to match default-server requirement and talk with > Willy. > It should be easier to follow. > > >> Le 27 mars 2017 à 16:15, Emer

Re: [Patches] TLS methods configuration reworked

Le 31 mars 2017 à 11:02, Emeric Brun <eb...@haproxy.com> a écrit :Hi Emmanuel,On 03/30/2017 07:44 PM, Emmanuel Hocdet wrote:The right patch series ...Le 30 mars 2017 à 19:00, Emmanuel Hocdet <m...@gandi.net> a écrit :Hi Emeric, WillyRework of patches serie to match default-server req

Re: [Patches] TLS methods configuration reworked

Hi Emeric, Willy Up the thread with a compatible configuration view. 1) force-xx force-tlsv12 no-tlsv12 old: do a force-tlsv12 (no-xx ignored without warning) new: warning "all SSL/TLS versions are disabled » It’s not a good configuration, but… It can be changed with: . no-xx ignored when for

Re: [Patches] TLS methods configuration reworked

> Le 28 avr. 2017 à 16:51, Emeric Brun a écrit : > > Hi Manu, > >>> >> >> yes, i delayed this change (lack of time). >> last patch with 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, >> TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 >> >> Manu >> >> > > Could you please rebase your patch se

Re: [RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

Hi Lukas, The response is in our link: [2] https://github.com/openssl/openssl/issues/541 No need to disable this option per default and option is needed for security. The equal-preference groups work with server preference. I tested it with BoringSSL. Manu > Le 28 avr. 2017 à 20:05, Lukas Trib

Re: [RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

or > Le 2 mai 2017 à 17:14, Lukas Tribus a écrit : > > Hello, > > >> Hi Lukas, >> >> The response is in our link: >> [2] https://github.com/openssl/openssl/issues/541 >> >> No need to disable this option per default and option is needed for security. > > The point is: when the admin is awar

Re: [Patches] TLS methods configuration reworked

Hi Emeric, > Le 28 avr. 2017 à 17:57, Emmanuel Hocdet a écrit : > > Hi Emeric, Willy > > Up the thread with a compatible configuration view. > > 1) force-xx force-tlsv12 no-tlsv12 > old: do a force-tlsv12 (no-xx ignored without warning) > new: warning "a

Re: [Patches] TLS methods configuration reworked

> Le 5 mai 2017 à 17:21, Emmanuel Hocdet a écrit : > > Hi Emeric, > >> Le 28 avr. 2017 à 17:57, Emmanuel Hocdet a écrit : >> >> Hi Emeric, Willy >> >> Up the thread with a compatible configuration view. >> >> 1) force-xx force-tlsv

[PATCH] MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list

Hi, This patch depend of " [Patches] TLS methods configuration reworked ». Actually it will only work with BoringSSL because haproxy use a special ssl_sock_switchctx_cbk with a BoringSSL callback to select certificat before any handshake negotiation. This feature (and others depend of this ssl_s

Re: [PATCH] MINOR: boringssl: basic support for OCSP Stapling

Hi Willy, This patch only applies to boringssl. Could you merge them? ++ Emmanuel > Le 29 mars 2017 à 16:46, Emmanuel Hocdet a écrit : > > > Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with > '.ocsp' extension. CLI update is not su

Re: [PATCH] MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list

Hi, Same patch, split in 3 parts for better understanding. > Le 12 mai 2017 à 15:05, Emmanuel Hocdet a écrit : > > Hi, > > This patch depend of " [Patches] TLS methods configuration reworked ». > > Actually it will only work with BoringSSL bec

Re: [Patches] TLS methods configuration reworked

Hi Cyril, > Le 18 mai 2017 à 23:02, Cyril Bonté a écrit : > > Hi all, > > Le 12/05/2017 à 15:13, Willy Tarreau a écrit : >> Hi guys, >> >> On Tue, May 09, 2017 at 11:21:36AM +0200, Emeric Brun wrote: >>> It seems to do what we want, so we can merge it. >> >> So the good news is that this patc

  1   2   3   4   >