Re: [ANNOUNCE] haproxy-1.7.1

[Willy Tarreau]

On Tue, Jan 03, 2017 at 06:21:18PM +0100, Lukas Tribus wrote:
> Hi Igor,
> 
> 
> Am 16.12.2016 um 12:52 schrieb Igor Pav:
> > Cool, even TLS 1.3 0 RTT feature requires no changes?
> 
> Nope, the early-data mode will require API changes:
> 
> https://github.com/openssl/openssl/issues/1541#issuecomment-269567480

Useful link, thanks Lukas. From what I'm seeing, it will cause the
same difficulties as dealing with TFO on the server side. We'll need
to think about some infrastructure changes in order to achieve this
because the difficulty is to be able to replay some data already sent.

Willy

Re: [ANNOUNCE] haproxy-1.7.1

[Lukas Tribus]

Hi Igor,


Am 16.12.2016 um 12:52 schrieb Igor Pav:

Cool, even TLS 1.3 0 RTT feature requires no changes?


Nope, the early-data mode will require API changes:

https://github.com/openssl/openssl/issues/1541#issuecomment-269567480


Lukas

Re: [ANNOUNCE] haproxy-1.7.1

[Igor Pav]

Cool, even TLS 1.3 0 RTT feature requires no changes?

On Fri, Dec 16, 2016 at 3:03 AM, Lukas Tribus  wrote:
> Hi Igor,
>
>
> Am 14.12.2016 um 20:47 schrieb Igor Pav:
>>
>> Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev,
>> will release in 1.1.1, and BoringSSL supports TLSv1.3 already.
>
>
> That's nice, and in fact since 1.1.1 will be API compatible with 1.1.0 [1]
> *and* support
> TLS 1.3 (or whatever we end up calling it [2]), this shouldn't require any
> changes in
> haproxy at all.
>
>
>
> [1] https://www.openssl.org/blog/blog/2016/10/24/f2f-roadmap/
> [2] https://www.ietf.org/mail-archive/web/tls/current/msg21888.html

Re: [ANNOUNCE] haproxy-1.7.1

[Bertrand Jacquin]

On 15/12/2016 19:03, Lukas Tribus wrote:

Hi Igor,


Am 14.12.2016 um 20:47 schrieb Igor Pav:

Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev,
will release in 1.1.1, and BoringSSL supports TLSv1.3 already.


That's nice, and in fact since 1.1.1 will be API compatible with 1.1.0
[1] *and* support
TLS 1.3 (or whatever we end up calling it [2]), this shouldn't require
any changes in
haproxy at all.


haproxy might be able to use it as soon as the underlying lib supports 
it. But it might be good to update the doc and configuration like 
no-tls13, force-tls13 and so on.


--
Bertrand

Re: [ANNOUNCE] haproxy-1.7.1

[Lukas Tribus]

Hi Igor,


Am 14.12.2016 um 20:47 schrieb Igor Pav:

Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev,
will release in 1.1.1, and BoringSSL supports TLSv1.3 already.


That's nice, and in fact since 1.1.1 will be API compatible with 1.1.0 
[1] *and* support
TLS 1.3 (or whatever we end up calling it [2]), this shouldn't require 
any changes in

haproxy at all.



[1] https://www.openssl.org/blog/blog/2016/10/24/f2f-roadmap/
[2] https://www.ietf.org/mail-archive/web/tls/current/msg21888.html

Re: [ANNOUNCE] haproxy-1.7.1

[Igor Pav]

Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev,
will release in 1.1.1, and BoringSSL supports TLSv1.3 already.

On Thu, Dec 15, 2016 at 1:48 AM, Lukas Tribus  wrote:
> Hi Igor,
>
>
> Am 14.12.2016 um 14:37 schrieb Igor Pav:
>>
>> That's great!
>>
>> Will HAProxy adopt TLS 1.3 soon?
>
>
> This actually depends way more on openssl than it depends on haproxy (which
> most likely only needs a few tweaks).
>
> TLS 1.3 is the primary focus of the next openssl release [1], which I assume
> is gonna be 1.2.0, but I doubt there is an ETA for this.
>
>
>
> Regards,
> Lukas
>
>
> [1] https://www.openssl.org/policies/roadmap.html

Re: [ANNOUNCE] haproxy-1.7.1

[Lukas Tribus]

Hi Igor,


Am 14.12.2016 um 14:37 schrieb Igor Pav:

That's great!

Will HAProxy adopt TLS 1.3 soon?


This actually depends way more on openssl than it depends on haproxy 
(which most likely only needs a few tweaks).


TLS 1.3 is the primary focus of the next openssl release [1], which I 
assume is gonna be 1.2.0, but I doubt there is an ETA for this.




Regards,
Lukas


[1] https://www.openssl.org/policies/roadmap.html

Re: [ANNOUNCE] haproxy-1.7.1

[Igor Pav]

That's great!

Will HAProxy adopt TLS 1.3 soon?

On Tue, Dec 13, 2016 at 7:39 AM, Willy Tarreau  wrote:
> Hi,
>
> HAProxy 1.7.1 was released on 2016/12/13. It added 28 new commits
> after version 1.7.0.
>
> It addresses a few issues related to how buffers are allocated under
> low memory condition consecutive to the applet scheduling changes
> introduced before 1.6 was released (Christopher found a nest of pre-1.6
> bugs in this area when trying to stress SPOE and each time he would fix
> one, another would pop up), and a few other issues specific to 1.7 :
>
>   - CONNECT method was broken since the introduction in filters in
> 1.7-dev2 or so. It seems like nobody deploys a development version
> in front of an outgoing proxy (which I can easily understand)
>
>   - "show stat resolvers" and "show tls-keys" were wrong after the move
>  out of cli.c (typo in return value)
>
>   - "show stat" on a proxy with no LB algo (transparent or redispatch)
> could crash by trying to dereference the algo name which was null.
> Now it will report "none" or "unknown".
>
>   - fixed LibreSSL support
>
> The rest is pretty minor and mostly doc cleanups and spelling fixes. Given
> that the two "major" bugs and half of the medium ones also affect 1.6,
> expect 1.6.11 in the next few weeks. It's important to note that while
> marked "major", they only manifest under strong memory pressure.
>
> Please find the usual URLs below :
>Site index   : http://www.haproxy.org/
>Discourse: http://discourse.haproxy.org/
>Sources  : http://www.haproxy.org/download/1.7/src/
>Git repository   : http://git.haproxy.org/git/haproxy-1.7.git/
>Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git
>Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG
>Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
>
> Willy
> ---
> Complete changelog :
>
> Ben Shillito (1):
>   DOC: Added 51Degrees conv and fetch functions to documentation.
>
> Christopher Faulet (12):
>   BUG/MEDIUM: http: Fix tunnel mode when the CONNECT method is used
>   BUG/MINOR: http: Keep the same behavior between 1.6 and 1.7 for 
> tunneled txn
>   BUG/MINOR: filters: Protect args in macros HAS_DATA_FILTERS and 
> IS_DATA_FILTER
>   BUG/MINOR: filters: Invert evaluation order of HTTP_XFER_BODY and 
> XFER_DATA analyzers
>   BUG/MINOR: http: Call XFER_DATA analyzer when HTTP txn is switched in 
> tunnel mode
>   DOC: Add undocumented argument of the trace filter
>   DOC: Fix some typo in SPOE documentation
>   BUG/MINOR: cli: be sure to always warn the cli applet when input buffer 
> is full
>   MINOR: applet: Count number of (active) applets
>   MINOR: task: Rename run_queue and run_queue_cur counters
>   BUG/MEDIUM: stream: Save unprocessed events for a stream
>   BUG/MAJOR: Fix how the list of entities waiting for a buffer is handled
>
> Dragan Dosen (1):
>   BUG/MINOR: cli: allow the backslash to be escaped on the CLI
>
> Luca Pizzamiglio (1):
>   BUILD/MEDIUM: Fixing the build using LibreSSL
>
> Marcin Deranek (1):
>   MINOR: proxy: Add fe_name/be_name fetchers next to existing fe_id/be_id
>
> Matthieu Guegan (1):
>   BUG/MINOR: http: don't send an extra CRLF after a Set-Cookie in a 
> redirect
>
> Ruoshan Huang (1):
>   DOC: Fix map table's format
>
> Thierry FOURNIER / OZON.IO (3):
>   BUG/MEDIUM: variables: some variable name can hide another ones
>   DOC: lua: Documentation about some entry missing
>   MINOR: Do not forward the header "Expect: 100-continue" when the option 
> http-buffer-request is set
>
> Tim Düsterhus (1):
>   DOC: Spelling fixes
>
> Willy Tarreau (7):
>   BUG/MEDIUM: proxy: return "none" and "unknown" for unknown LB algos
>   BUG/MINOR: stats: make field_str() return an empty string on NULL
>   BUG/MAJOR: stream: fix session abort on resource shortage
>   BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys"
>   DOC: mention that req_tot is for both frontends and backends
>   BUG/MINOR: stats: fix be/sessions/max output in html stats
>   [RELEASE] Released version 1.7.1
>
>

[ANNOUNCE] haproxy-1.7.1

[Willy Tarreau]

Hi,

HAProxy 1.7.1 was released on 2016/12/13. It added 28 new commits
after version 1.7.0.

It addresses a few issues related to how buffers are allocated under
low memory condition consecutive to the applet scheduling changes
introduced before 1.6 was released (Christopher found a nest of pre-1.6
bugs in this area when trying to stress SPOE and each time he would fix
one, another would pop up), and a few other issues specific to 1.7 :

  - CONNECT method was broken since the introduction in filters in
1.7-dev2 or so. It seems like nobody deploys a development version
in front of an outgoing proxy (which I can easily understand)

  - "show stat resolvers" and "show tls-keys" were wrong after the move
 out of cli.c (typo in return value)

  - "show stat" on a proxy with no LB algo (transparent or redispatch)
could crash by trying to dereference the algo name which was null.
Now it will report "none" or "unknown".

  - fixed LibreSSL support

The rest is pretty minor and mostly doc cleanups and spelling fixes. Given
that the two "major" bugs and half of the medium ones also affect 1.6,
expect 1.6.11 in the next few weeks. It's important to note that while
marked "major", they only manifest under strong memory pressure.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Sources  : http://www.haproxy.org/download/1.7/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.7.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git
   Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :

Ben Shillito (1):
  DOC: Added 51Degrees conv and fetch functions to documentation.

Christopher Faulet (12):
  BUG/MEDIUM: http: Fix tunnel mode when the CONNECT method is used
  BUG/MINOR: http: Keep the same behavior between 1.6 and 1.7 for tunneled 
txn
  BUG/MINOR: filters: Protect args in macros HAS_DATA_FILTERS and 
IS_DATA_FILTER
  BUG/MINOR: filters: Invert evaluation order of HTTP_XFER_BODY and 
XFER_DATA analyzers
  BUG/MINOR: http: Call XFER_DATA analyzer when HTTP txn is switched in 
tunnel mode
  DOC: Add undocumented argument of the trace filter
  DOC: Fix some typo in SPOE documentation
  BUG/MINOR: cli: be sure to always warn the cli applet when input buffer 
is full
  MINOR: applet: Count number of (active) applets
  MINOR: task: Rename run_queue and run_queue_cur counters
  BUG/MEDIUM: stream: Save unprocessed events for a stream
  BUG/MAJOR: Fix how the list of entities waiting for a buffer is handled

Dragan Dosen (1):
  BUG/MINOR: cli: allow the backslash to be escaped on the CLI

Luca Pizzamiglio (1):
  BUILD/MEDIUM: Fixing the build using LibreSSL

Marcin Deranek (1):
  MINOR: proxy: Add fe_name/be_name fetchers next to existing fe_id/be_id

Matthieu Guegan (1):
  BUG/MINOR: http: don't send an extra CRLF after a Set-Cookie in a redirect

Ruoshan Huang (1):
  DOC: Fix map table's format

Thierry FOURNIER / OZON.IO (3):
  BUG/MEDIUM: variables: some variable name can hide another ones
  DOC: lua: Documentation about some entry missing
  MINOR: Do not forward the header "Expect: 100-continue" when the option 
http-buffer-request is set

Tim Düsterhus (1):
  DOC: Spelling fixes

Willy Tarreau (7):
  BUG/MEDIUM: proxy: return "none" and "unknown" for unknown LB algos
  BUG/MINOR: stats: make field_str() return an empty string on NULL
  BUG/MAJOR: stream: fix session abort on resource shortage
  BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys"
  DOC: mention that req_tot is for both frontends and backends
  BUG/MINOR: stats: fix be/sessions/max output in html stats
  [RELEASE] Released version 1.7.1