Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov 
Hi Willy,

On Fri, Jan 26, 2018 at 6:21 PM, Willy Tarreau  wrote:

> Hi Igor,
>
> On Fri, Jan 26, 2018 at 05:07:10PM +1100, Igor Cicimov wrote:
> > Hi Willy,
> >
> > On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau  wrote:
> >
> > > On Fri, Jan 26, 2018 at 01:26:35AM +1100, Igor Cicimov wrote:
> > > > Or you meant using the haproxy 16.04 image actually. Ok, another
> option
> > > is
> > > > to compile it myself with the openssl version I have atm.
> > >
> > > What mostly matters is the version used to *build* haproxy, because
> > > some features have to be known at build time. If you pick an haproxy
> > > package made for a more recent distro using 1.0.2 or later, it will
> > > enable ALPN. Whether or not it will work on your current distro with
> > > your locally rebuilt openssl is a big question of course.
> > >
> > > You should definitely avoid building openssl yourself, it's the best
> > > way to forget about upgrading it when a vulnerability is disclosed.
> > > However if you're already doing it for other reasons it's different
> > > and then maybe you can build your own haproxy with this openssl
> > > version. But as Lukas said, the easiest solution is to upgrade the
> > > distro :-)
> > >
> > > Willy
> > >
> >
> >
> > So that's actually what my initial question was aiming at. While building
> > the deb archive for ubuntu trusty lets say doesn't it make sense to build
> > it using the latest stable openssl 1.0.2 just for the sake of the
> > features?
>
> I don't know what version ships in standard with this distro, but it makes
> sense to me that the packages that are built for a distro work with the
> distro's default package versions and do not require some hacks by the
> user. So if the distro uses 1.0.2 by default it would make sense. If it
> uses 1.0.1, it wouldn't make sense to add an extra dependency on an
> external, possibly less maintained, package. But that's just my opinion,
> I'm not a distro packager. However that's the type of issues we've had to
> deal with in our enterprise version since users expect the packages to work
> by default and a few advanced users also want the best features which are
> unfortunately not compatible with the default distro :-/ And recently we've
> seen a progress in the right direction (eg with RHEL 7.4 IIRC) though that
> breaks again the compatibility with users of older packages!
>
> I really think that the whole mess around this is caused by the fact that
> H2 requires ALPN which was not present in the openssl version shipped with
> most distros when it was released, and that the lack of visibility of any
> future long term supported openssl version doesn't encourage distro vendors
> to provide large scale upgrades.
>
> Willy
>

​Yeah you are absolutely right here please scrap my previous comment which
totally doesn't make any sense :-( I guess it is more showing my
frustration with exactly what you described in the last paragraph.

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Willy Tarreau 
Hi Igor,

On Fri, Jan 26, 2018 at 05:07:10PM +1100, Igor Cicimov wrote:
> Hi Willy,
> 
> On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau  wrote:
> 
> > On Fri, Jan 26, 2018 at 01:26:35AM +1100, Igor Cicimov wrote:
> > > Or you meant using the haproxy 16.04 image actually. Ok, another option
> > is
> > > to compile it myself with the openssl version I have atm.
> >
> > What mostly matters is the version used to *build* haproxy, because
> > some features have to be known at build time. If you pick an haproxy
> > package made for a more recent distro using 1.0.2 or later, it will
> > enable ALPN. Whether or not it will work on your current distro with
> > your locally rebuilt openssl is a big question of course.
> >
> > You should definitely avoid building openssl yourself, it's the best
> > way to forget about upgrading it when a vulnerability is disclosed.
> > However if you're already doing it for other reasons it's different
> > and then maybe you can build your own haproxy with this openssl
> > version. But as Lukas said, the easiest solution is to upgrade the
> > distro :-)
> >
> > Willy
> >
> 
> 
> So that's actually what my initial question was aiming at. While building
> the deb archive for ubuntu trusty lets say doesn't it make sense to build
> it using the latest stable openssl 1.0.2 just for the sake of the
> features?

I don't know what version ships in standard with this distro, but it makes
sense to me that the packages that are built for a distro work with the
distro's default package versions and do not require some hacks by the
user. So if the distro uses 1.0.2 by default it would make sense. If it
uses 1.0.1, it wouldn't make sense to add an extra dependency on an
external, possibly less maintained, package. But that's just my opinion,
I'm not a distro packager. However that's the type of issues we've had to
deal with in our enterprise version since users expect the packages to work
by default and a few advanced users also want the best features which are
unfortunately not compatible with the default distro :-/ And recently we've
seen a progress in the right direction (eg with RHEL 7.4 IIRC) though that
breaks again the compatibility with users of older packages!

I really think that the whole mess around this is caused by the fact that
H2 requires ALPN which was not present in the openssl version shipped with
most distros when it was released, and that the lack of visibility of any
future long term supported openssl version doesn't encourage distro vendors
to provide large scale upgrades.

Willy

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov 
Hi Willy,

On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau  wrote:

> On Fri, Jan 26, 2018 at 01:26:35AM +1100, Igor Cicimov wrote:
> > Or you meant using the haproxy 16.04 image actually. Ok, another option
> is
> > to compile it myself with the openssl version I have atm.
>
> What mostly matters is the version used to *build* haproxy, because
> some features have to be known at build time. If you pick an haproxy
> package made for a more recent distro using 1.0.2 or later, it will
> enable ALPN. Whether or not it will work on your current distro with
> your locally rebuilt openssl is a big question of course.
>
> You should definitely avoid building openssl yourself, it's the best
> way to forget about upgrading it when a vulnerability is disclosed.
> However if you're already doing it for other reasons it's different
> and then maybe you can build your own haproxy with this openssl
> version. But as Lukas said, the easiest solution is to upgrade the
> distro :-)
>
> Willy
>


​So that's actually what my initial question was aiming at. While building
the deb archive for ubuntu trusty lets say doesn't it make sense to build
it using ​the latest stable openssl 1.0.2 just for the sake of the
features?

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Willy Tarreau 
On Fri, Jan 26, 2018 at 01:26:35AM +1100, Igor Cicimov wrote:
> Or you meant using the haproxy 16.04 image actually. Ok, another option is
> to compile it myself with the openssl version I have atm.

What mostly matters is the version used to *build* haproxy, because
some features have to be known at build time. If you pick an haproxy
package made for a more recent distro using 1.0.2 or later, it will
enable ALPN. Whether or not it will work on your current distro with
your locally rebuilt openssl is a big question of course.

You should definitely avoid building openssl yourself, it's the best
way to forget about upgrading it when a vulnerability is disclosed.
However if you're already doing it for other reasons it's different
and then maybe you can build your own haproxy with this openssl
version. But as Lukas said, the easiest solution is to upgrade the
distro :-)

Willy

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Lukas Tribus 
Hello Igor,


On 25 January 2018 at 15:22, Igor Cicimov
 wrote:
>> Upgrade to the *current* LTS release, which is Ubuntu Xenial. It ships
>> OpenSSL 1.0.2.
>
>
> For sure I don't have to update the whole distro to get the newest openssl
> :-)

You mean you expect to replace a system library from one major release
to another, with incompatible ABI and API? No, that's not how it
works. Fortunately OpenSSL 1.1.0 creates .so files with the ".so.1.1"
file ending (as well as a symbolic link to it from ".so" files) , so
the original ".so.1.0.0" files are not overwritten. Otherwise your
system would be broken now.

I suggested to upgrade to the current Ubuntu LTS because its the
fastest and safest way to get OpenSSL 1.0.2, it wont break your
system, you get security updates and you have to do it anyway sooner
or later, as Trusty is EOL'ed next year.


You don't have to; you can always compile OpenSSL statically locally,
and use that to compile Haproxy (see README), or if the 1.1.0 headers
are installed correctly, just compile Haproxy.


But replacing a system library like that is something you need to be
very careful with.



Regards,
Lukas

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov 
On Fri, Jan 26, 2018 at 1:22 AM, Igor Cicimov <
ig...@encompasscorporation.com> wrote:

> Hi Lukas,
>
> On Fri, Jan 26, 2018 at 1:04 AM, Lukas Tribus  wrote:
>
>> Hello,
>>
>>
>> On 25 January 2018 at 14:53, Igor Cicimov
>>  wrote:
>> >
>> > Hi,
>> >
>> > The info below, that openssl version fort he build is little bit oldish
>> isn't it?
>> >
>> > # haproxy -vv
>> > [...]
>> > Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
>> > Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
>> > [...]
>>
>>
>> ALPN requires OpenSSL 1.0.2. You are using Ubuntu Trusty, which ships
>> OpenSSL 1.0.1.
>>
>>
> ​Ok, so
> ​
>
>>
>>
>> > # openssl version
>> > OpenSSL 1.1.0g  2 Nov 2017
>>
>>
> ​I have even more recent openssl version and this should work.
> ​
>
>>
>> Don't know where that's from, but not from a vanilla Ubuntu trusty
>> installation.
>>
>>
> ​You mean where that 1.0.1f came from? Obviously the installed one is
> 1.1.0g and why does it matter where it came from? Where is haproxy looking
> for openssl? Maybe I'm missing some library links ...
> ​
>
>>
>> Upgrade to the *current* LTS release, which is Ubuntu Xenial. It ships
>> OpenSSL 1.0.2.
>>
>
> ​For sure I don't have to up​date the whole distro to get the newest
> openssl :-)
>
>
>>
>>
>> Lukas
>>
>
>
​Or you meant using the haproxy 16.04 image actually. Ok, another option is
to compile it myself with the openssl version I have atm.​

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov 
Hi Lukas,

On Fri, Jan 26, 2018 at 1:04 AM, Lukas Tribus  wrote:

> Hello,
>
>
> On 25 January 2018 at 14:53, Igor Cicimov
>  wrote:
> >
> > Hi,
> >
> > The info below, that openssl version fort he build is little bit oldish
> isn't it?
> >
> > # haproxy -vv
> > [...]
> > Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> > Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> > [...]
>
>
> ALPN requires OpenSSL 1.0.2. You are using Ubuntu Trusty, which ships
> OpenSSL 1.0.1.
>
>
​Ok, so
​

>
>
> > # openssl version
> > OpenSSL 1.1.0g  2 Nov 2017
>
>
​I have even more recent openssl version and this should work.
​

>
> Don't know where that's from, but not from a vanilla Ubuntu trusty
> installation.
>
>
​You mean where that 1.0.1f came from? Obviously the installed one is
1.1.0g and why does it matter where it came from? Where is haproxy looking
for openssl? Maybe I'm missing some library links ...
​

>
> Upgrade to the *current* LTS release, which is Ubuntu Xenial. It ships
> OpenSSL 1.0.2.
>

​For sure I don't have to up​date the whole distro to get the newest
openssl :-)


>
>
> Lukas
>

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Lukas Tribus 
Hello,


On 25 January 2018 at 14:53, Igor Cicimov
 wrote:
>
> Hi,
>
> The info below, that openssl version fort he build is little bit oldish isn't 
> it?
>
> # haproxy -vv
> [...]
> Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> [...]


ALPN requires OpenSSL 1.0.2. You are using Ubuntu Trusty, which ships
OpenSSL 1.0.1.



> # openssl version
> OpenSSL 1.1.0g  2 Nov 2017


Don't know where that's from, but not from a vanilla Ubuntu trusty installation.


Upgrade to the *current* LTS release, which is Ubuntu Xenial. It ships
OpenSSL 1.0.2.



Lukas

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov 
Hi,

The info below, that openssl version fort he build is little bit oldish
isn't it?

# haproxy -vv
HA-Proxy version 1.8.3-1ppa1~trusty 2018/01/02
Copyright 2000-2017 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200


*Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014Running on OpenSSL
version : OpenSSL 1.0.1f 6 Jan 2014*
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.31 2012-07-06
Running on PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (libpcre build without JIT?)
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

# openssl version
OpenSSL 1.1.0g  2 Nov 2017

# lsb_release -a
No LSB modules are available.
Distributor ID:Ubuntu
Description:Ubuntu 14.04.5 LTS
Release:14.04
Codename:trusty



On Fri, Jan 26, 2018 at 12:39 AM, Lukas Tribus  wrote:

> Hello,
>
> On 25 January 2018 at 13:26, Igor Cicimov
>  wrote:
> > Hi,
> >
> > I was testing haproxy 1.8 from the ppa repository and noticed it is not
> > build with alpn support so just wonder why?
>
> Which OS exactly?
>
>
> Lukas
>



-- 
Igor Cicimov | DevOps


p. +61 (0) 433 078 728
e. ig...@encompasscorporation.com 
w*.* www.encompasscorporation.com
a. Level 4, 65 York Street, Sydney 2000

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Lukas Tribus 
Hello,

On 25 January 2018 at 13:26, Igor Cicimov
 wrote:
> Hi,
>
> I was testing haproxy 1.8 from the ppa repository and noticed it is not
> build with alpn support so just wonder why?

Which OS exactly?


Lukas

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Jerome Magnin 
Hi Igor,

On Thu, Jan 25, 2018 at 11:26:14PM +1100, Igor Cicimov wrote:
> Hi,
> 
> I was testing haproxy 1.8 from the ppa repository and noticed it is not
> build with alpn support so just wonder why?

what's the output of haproxy -vv ?

Jérôme