Re: [ANNOUNCE] haproxy-1.7.1
On Tue, Jan 03, 2017 at 06:21:18PM +0100, Lukas Tribus wrote: > Hi Igor, > > > Am 16.12.2016 um 12:52 schrieb Igor Pav: > > Cool, even TLS 1.3 0 RTT feature requires no changes? > > Nope, the early-data mode will require API changes: > > https://github.com/openssl/openssl/issues/1541#issuecomment-269567480 Useful link, thanks Lukas. From what I'm seeing, it will cause the same difficulties as dealing with TFO on the server side. We'll need to think about some infrastructure changes in order to achieve this because the difficulty is to be able to replay some data already sent. Willy
Re: [ANNOUNCE] haproxy-1.7.1
Hi Igor, Am 16.12.2016 um 12:52 schrieb Igor Pav: Cool, even TLS 1.3 0 RTT feature requires no changes? Nope, the early-data mode will require API changes: https://github.com/openssl/openssl/issues/1541#issuecomment-269567480 Lukas
Re: [ANNOUNCE] haproxy-1.7.1
Cool, even TLS 1.3 0 RTT feature requires no changes? On Fri, Dec 16, 2016 at 3:03 AM, Lukas Tribuswrote: > Hi Igor, > > > Am 14.12.2016 um 20:47 schrieb Igor Pav: >> >> Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev, >> will release in 1.1.1, and BoringSSL supports TLSv1.3 already. > > > That's nice, and in fact since 1.1.1 will be API compatible with 1.1.0 [1] > *and* support > TLS 1.3 (or whatever we end up calling it [2]), this shouldn't require any > changes in > haproxy at all. > > > > [1] https://www.openssl.org/blog/blog/2016/10/24/f2f-roadmap/ > [2] https://www.ietf.org/mail-archive/web/tls/current/msg21888.html
Re: [ANNOUNCE] haproxy-1.7.1
On 15/12/2016 19:03, Lukas Tribus wrote: Hi Igor, Am 14.12.2016 um 20:47 schrieb Igor Pav: Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev, will release in 1.1.1, and BoringSSL supports TLSv1.3 already. That's nice, and in fact since 1.1.1 will be API compatible with 1.1.0 [1] *and* support TLS 1.3 (or whatever we end up calling it [2]), this shouldn't require any changes in haproxy at all. haproxy might be able to use it as soon as the underlying lib supports it. But it might be good to update the doc and configuration like no-tls13, force-tls13 and so on. -- Bertrand
Re: [ANNOUNCE] haproxy-1.7.1
Hi Igor, Am 14.12.2016 um 20:47 schrieb Igor Pav: Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev, will release in 1.1.1, and BoringSSL supports TLSv1.3 already. That's nice, and in fact since 1.1.1 will be API compatible with 1.1.0 [1] *and* support TLS 1.3 (or whatever we end up calling it [2]), this shouldn't require any changes in haproxy at all. [1] https://www.openssl.org/blog/blog/2016/10/24/f2f-roadmap/ [2] https://www.ietf.org/mail-archive/web/tls/current/msg21888.html
Re: [ANNOUNCE] haproxy-1.7.1
Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev, will release in 1.1.1, and BoringSSL supports TLSv1.3 already. On Thu, Dec 15, 2016 at 1:48 AM, Lukas Tribuswrote: > Hi Igor, > > > Am 14.12.2016 um 14:37 schrieb Igor Pav: >> >> That's great! >> >> Will HAProxy adopt TLS 1.3 soon? > > > This actually depends way more on openssl than it depends on haproxy (which > most likely only needs a few tweaks). > > TLS 1.3 is the primary focus of the next openssl release [1], which I assume > is gonna be 1.2.0, but I doubt there is an ETA for this. > > > > Regards, > Lukas > > > [1] https://www.openssl.org/policies/roadmap.html
Re: [ANNOUNCE] haproxy-1.7.1
Hi Igor, Am 14.12.2016 um 14:37 schrieb Igor Pav: That's great! Will HAProxy adopt TLS 1.3 soon? This actually depends way more on openssl than it depends on haproxy (which most likely only needs a few tweaks). TLS 1.3 is the primary focus of the next openssl release [1], which I assume is gonna be 1.2.0, but I doubt there is an ETA for this. Regards, Lukas [1] https://www.openssl.org/policies/roadmap.html
Re: [ANNOUNCE] haproxy-1.7.1
That's great! Will HAProxy adopt TLS 1.3 soon? On Tue, Dec 13, 2016 at 7:39 AM, Willy Tarreauwrote: > Hi, > > HAProxy 1.7.1 was released on 2016/12/13. It added 28 new commits > after version 1.7.0. > > It addresses a few issues related to how buffers are allocated under > low memory condition consecutive to the applet scheduling changes > introduced before 1.6 was released (Christopher found a nest of pre-1.6 > bugs in this area when trying to stress SPOE and each time he would fix > one, another would pop up), and a few other issues specific to 1.7 : > > - CONNECT method was broken since the introduction in filters in > 1.7-dev2 or so. It seems like nobody deploys a development version > in front of an outgoing proxy (which I can easily understand) > > - "show stat resolvers" and "show tls-keys" were wrong after the move > out of cli.c (typo in return value) > > - "show stat" on a proxy with no LB algo (transparent or redispatch) > could crash by trying to dereference the algo name which was null. > Now it will report "none" or "unknown". > > - fixed LibreSSL support > > The rest is pretty minor and mostly doc cleanups and spelling fixes. Given > that the two "major" bugs and half of the medium ones also affect 1.6, > expect 1.6.11 in the next few weeks. It's important to note that while > marked "major", they only manifest under strong memory pressure. > > Please find the usual URLs below : >Site index : http://www.haproxy.org/ >Discourse: http://discourse.haproxy.org/ >Sources : http://www.haproxy.org/download/1.7/src/ >Git repository : http://git.haproxy.org/git/haproxy-1.7.git/ >Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git >Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG >Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > Willy > --- > Complete changelog : > > Ben Shillito (1): > DOC: Added 51Degrees conv and fetch functions to documentation. > > Christopher Faulet (12): > BUG/MEDIUM: http: Fix tunnel mode when the CONNECT method is used > BUG/MINOR: http: Keep the same behavior between 1.6 and 1.7 for > tunneled txn > BUG/MINOR: filters: Protect args in macros HAS_DATA_FILTERS and > IS_DATA_FILTER > BUG/MINOR: filters: Invert evaluation order of HTTP_XFER_BODY and > XFER_DATA analyzers > BUG/MINOR: http: Call XFER_DATA analyzer when HTTP txn is switched in > tunnel mode > DOC: Add undocumented argument of the trace filter > DOC: Fix some typo in SPOE documentation > BUG/MINOR: cli: be sure to always warn the cli applet when input buffer > is full > MINOR: applet: Count number of (active) applets > MINOR: task: Rename run_queue and run_queue_cur counters > BUG/MEDIUM: stream: Save unprocessed events for a stream > BUG/MAJOR: Fix how the list of entities waiting for a buffer is handled > > Dragan Dosen (1): > BUG/MINOR: cli: allow the backslash to be escaped on the CLI > > Luca Pizzamiglio (1): > BUILD/MEDIUM: Fixing the build using LibreSSL > > Marcin Deranek (1): > MINOR: proxy: Add fe_name/be_name fetchers next to existing fe_id/be_id > > Matthieu Guegan (1): > BUG/MINOR: http: don't send an extra CRLF after a Set-Cookie in a > redirect > > Ruoshan Huang (1): > DOC: Fix map table's format > > Thierry FOURNIER / OZON.IO (3): > BUG/MEDIUM: variables: some variable name can hide another ones > DOC: lua: Documentation about some entry missing > MINOR: Do not forward the header "Expect: 100-continue" when the option > http-buffer-request is set > > Tim Düsterhus (1): > DOC: Spelling fixes > > Willy Tarreau (7): > BUG/MEDIUM: proxy: return "none" and "unknown" for unknown LB algos > BUG/MINOR: stats: make field_str() return an empty string on NULL > BUG/MAJOR: stream: fix session abort on resource shortage > BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys" > DOC: mention that req_tot is for both frontends and backends > BUG/MINOR: stats: fix be/sessions/max output in html stats > [RELEASE] Released version 1.7.1 > >
[ANNOUNCE] haproxy-1.7.1
Hi, HAProxy 1.7.1 was released on 2016/12/13. It added 28 new commits after version 1.7.0. It addresses a few issues related to how buffers are allocated under low memory condition consecutive to the applet scheduling changes introduced before 1.6 was released (Christopher found a nest of pre-1.6 bugs in this area when trying to stress SPOE and each time he would fix one, another would pop up), and a few other issues specific to 1.7 : - CONNECT method was broken since the introduction in filters in 1.7-dev2 or so. It seems like nobody deploys a development version in front of an outgoing proxy (which I can easily understand) - "show stat resolvers" and "show tls-keys" were wrong after the move out of cli.c (typo in return value) - "show stat" on a proxy with no LB algo (transparent or redispatch) could crash by trying to dereference the algo name which was null. Now it will report "none" or "unknown". - fixed LibreSSL support The rest is pretty minor and mostly doc cleanups and spelling fixes. Given that the two "major" bugs and half of the medium ones also affect 1.6, expect 1.6.11 in the next few weeks. It's important to note that while marked "major", they only manifest under strong memory pressure. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Sources : http://www.haproxy.org/download/1.7/src/ Git repository : http://git.haproxy.org/git/haproxy-1.7.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Ben Shillito (1): DOC: Added 51Degrees conv and fetch functions to documentation. Christopher Faulet (12): BUG/MEDIUM: http: Fix tunnel mode when the CONNECT method is used BUG/MINOR: http: Keep the same behavior between 1.6 and 1.7 for tunneled txn BUG/MINOR: filters: Protect args in macros HAS_DATA_FILTERS and IS_DATA_FILTER BUG/MINOR: filters: Invert evaluation order of HTTP_XFER_BODY and XFER_DATA analyzers BUG/MINOR: http: Call XFER_DATA analyzer when HTTP txn is switched in tunnel mode DOC: Add undocumented argument of the trace filter DOC: Fix some typo in SPOE documentation BUG/MINOR: cli: be sure to always warn the cli applet when input buffer is full MINOR: applet: Count number of (active) applets MINOR: task: Rename run_queue and run_queue_cur counters BUG/MEDIUM: stream: Save unprocessed events for a stream BUG/MAJOR: Fix how the list of entities waiting for a buffer is handled Dragan Dosen (1): BUG/MINOR: cli: allow the backslash to be escaped on the CLI Luca Pizzamiglio (1): BUILD/MEDIUM: Fixing the build using LibreSSL Marcin Deranek (1): MINOR: proxy: Add fe_name/be_name fetchers next to existing fe_id/be_id Matthieu Guegan (1): BUG/MINOR: http: don't send an extra CRLF after a Set-Cookie in a redirect Ruoshan Huang (1): DOC: Fix map table's format Thierry FOURNIER / OZON.IO (3): BUG/MEDIUM: variables: some variable name can hide another ones DOC: lua: Documentation about some entry missing MINOR: Do not forward the header "Expect: 100-continue" when the option http-buffer-request is set Tim Düsterhus (1): DOC: Spelling fixes Willy Tarreau (7): BUG/MEDIUM: proxy: return "none" and "unknown" for unknown LB algos BUG/MINOR: stats: make field_str() return an empty string on NULL BUG/MAJOR: stream: fix session abort on resource shortage BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys" DOC: mention that req_tot is for both frontends and backends BUG/MINOR: stats: fix be/sessions/max output in html stats [RELEASE] Released version 1.7.1