Re: running SECLEVEL=2 for OpenSSL-3.0 tests ?

2022-07-05 Thread William Lallemand 
On Tue, Jul 05, 2022 at 12:06:14PM +0500, Илья Шипицин wrote:
> вт, 5 июл. 2022 г. в 11:56, William Lallemand :
> 
> > On Tue, Jul 05, 2022 at 11:15:25AM +0500, Илья Шипицин wrote:
> > > I tried to run on Ubuntu 22.04, it is shipped with OpenSSL-3.0 and
> > > SECLEVEL=2 by default (probably it is correct for RedHat 9 as well ?)
> > >
> > > test · chipitsine/haproxy@1d69992 (github.com)
> > > <
> > https://github.com/chipitsine/haproxy/runs/7163834085?check_suite_focus=true#step:16:602
> > >
> > >
> > > ssl - What could cause "dh key too small" error? - Stack Overflow
> > > <
> > https://stackoverflow.com/questions/61626206/what-could-cause-dh-key-too-small-error
> > >
> > >
> > > if nobody minds, I'll add SECLEVEL=2 to CI.
> > > shall we run *only* SECLEVEL=2 or shall we expand build matrix ?
> > >
> >
> > That's not a good idea, this is supposed to be the default in a lot of
> > distribution and this could hide a lot of problems. HAProxy must works
> > with this default settings, the failing reg-test must be fixed instead.
> >
> 
> I mean "what to do after reg-test fix" (no question on that).
> in order to prevent regression...
> 

Sorry I didn't get correctly what you wanted to do.

Maybe we could add at least a 22.04 to the build.

We could convert the whole matrix to 22.04 later, but we still need to
test with OpenSSL 1.1.1, so we need reg-tests with the 1.1.1 built
manually.

-- 
William Lallemand

Re: running SECLEVEL=2 for OpenSSL-3.0 tests ?

2022-07-05 Thread Илья Шипицин 
вт, 5 июл. 2022 г. в 11:56, William Lallemand :

> On Tue, Jul 05, 2022 at 11:15:25AM +0500, Илья Шипицин wrote:
> > I tried to run on Ubuntu 22.04, it is shipped with OpenSSL-3.0 and
> > SECLEVEL=2 by default (probably it is correct for RedHat 9 as well ?)
> >
> > test · chipitsine/haproxy@1d69992 (github.com)
> > <
> https://github.com/chipitsine/haproxy/runs/7163834085?check_suite_focus=true#step:16:602
> >
> >
> > ssl - What could cause "dh key too small" error? - Stack Overflow
> > <
> https://stackoverflow.com/questions/61626206/what-could-cause-dh-key-too-small-error
> >
> >
> > if nobody minds, I'll add SECLEVEL=2 to CI.
> > shall we run *only* SECLEVEL=2 or shall we expand build matrix ?
> >
>
> That's not a good idea, this is supposed to be the default in a lot of
> distribution and this could hide a lot of problems. HAProxy must works
> with this default settings, the failing reg-test must be fixed instead.
>

I mean "what to do after reg-test fix" (no question on that).
in order to prevent regression...


>
> --
> William Lallemand
>

Re: running SECLEVEL=2 for OpenSSL-3.0 tests ?

2022-07-05 Thread William Lallemand 
On Tue, Jul 05, 2022 at 11:15:25AM +0500, Илья Шипицин wrote:
> I tried to run on Ubuntu 22.04, it is shipped with OpenSSL-3.0 and
> SECLEVEL=2 by default (probably it is correct for RedHat 9 as well ?)
> 
> test · chipitsine/haproxy@1d69992 (github.com)
> 
> 
> ssl - What could cause "dh key too small" error? - Stack Overflow
> 
> 
> if nobody minds, I'll add SECLEVEL=2 to CI.
> shall we run *only* SECLEVEL=2 or shall we expand build matrix ?
>

That's not a good idea, this is supposed to be the default in a lot of
distribution and this could hide a lot of problems. HAProxy must works
with this default settings, the failing reg-test must be fixed instead.

-- 
William Lallemand

running SECLEVEL=2 for OpenSSL-3.0 tests ?

2022-07-05 Thread Илья Шипицин 
I tried to run on Ubuntu 22.04, it is shipped with OpenSSL-3.0 and
SECLEVEL=2 by default (probably it is correct for RedHat 9 as well ?)

test · chipitsine/haproxy@1d69992 (github.com)


ssl - What could cause "dh key too small" error? - Stack Overflow


if nobody minds, I'll add SECLEVEL=2 to CI.
shall we run *only* SECLEVEL=2 or shall we expand build matrix ?

Ilya