{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":783660031,"defaultBranch":"master","name":"haproxy","ownerLogin":"stb-tester","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2024-04-08T10:22:15.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/5528358?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1718877125.0","currentOid":""},"activityList":{"items":[{"before":null,"after":"78d5c86b7877506d1e07465238d54aaebc1c0ac2","ref":"refs/heads/v3.0.0-stbt","pushedAt":"2024-06-06T08:46:23.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"wmanley","name":"William Manley","path":"/wmanley","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/494659?s=80&v=4"},"commit":{"message":"MINOR?: stconn/connection: Fix suspect change causing timeouts\n\nThis fixes an issue I've had where if a connection was idle for ~23s\nit would get in a bad state.  I don't understand this code, so I'm\nnot sure exactly why it was failing.\n\nI discovered this by bisecting to identify the commit that caused the\nregression between 2.9 and 3.0.  The commit is\nd2c3f8dde7c2474616c0ea51234e6ba9433a4bc1: \"MINOR: stconn/connection:\nMove shut modes at the SE descriptor level\" - a part of v3.0-dev8.\nIt seems to be an innocent renaming, so I looked through it and this\nstood out as suspect:\n\n    -        if (mode != CO_SHW_NORMAL)\n    +        if (mode & SE_SHW_NORMAL)\n\nIt looks like the not went missing here, so this patch reverses that\ncondition.  It fixes my test.\n\nI don't quite understand what this is doing or is for so I can't write\na regression test or decent commit message.  Hopefully someone else\nwill be able to pick this up from where I've left it.","shortMessageHtmlLink":"MINOR?: stconn/connection: Fix suspect change causing timeouts"}},{"before":"70251a2aeb5930f3fc25aadf979d5ce5007d0f9d","after":"93cc23a35561cd89b353143d20962dd86aa82a9c","ref":"refs/heads/master","pushedAt":"2024-06-05T13:36:17.000Z","pushType":"push","commitsCount":471,"pusher":{"login":"drothlis","name":"David Röthlisberger","path":"/drothlis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12424?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration\n\nThe ClientHello Callback which is used for certificate selection uses\nboth the signature algorithms and the ciphers sent by the client.\n\nHowever, when a client is announcing both ECDSA and RSA capabilities\nwith ECSDA ciphers that are not available on haproxy side and RSA\nciphers that are compatibles, the ECDSA certificate will still be used\nbut this will result in a \"no shared cipher\" error, instead of a\nfallback on the RSA certificate.\n\nFor example, a client could send\n'ECDHE-ECDSA-AES128-CCM:ECDHE-RSA-AES256-SHA and HAProxy could be\nconfigured with only 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA'.\n\nThis patch fixes the issue by validating that at least one ECDSA cipher\nis available on both side before chosing the ECDSA certificate.\n\nThis must be backported on all stable versions.","shortMessageHtmlLink":"BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+…"}},{"before":null,"after":"d06427d0ba3bbac9c94c74e09d5eca52b0b7fab6","ref":"refs/heads/v2.9.7-stbt","pushedAt":"2024-05-08T15:20:51.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"wmanley","name":"William Manley","path":"/wmanley","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/494659?s=80&v=4"},"commit":{"message":"MINOR: config: rhttp: Don't require SSL when attach-srv name parsing\n\nAn attach-srv config line usually looks like this:\n\n    tcp-request session attach-srv be/srv name ssl_c_s_dn(CN)\n\nwhile a rhttp server line usually looks like this:\n\n    server srv rhttp@ sni req.hdr(host)\n\nThe server sni argument is used as a key for looking up connection in the\nconnection pool.  The attach-srv name argument is used as a key for\ninserting connections into the pool.  For it to work correctly they must\nmatch.  There was a check that either both the attach-srv and server\nprovide that key or neither does.\n\nIt also checked that SSL and SNI was activated on the server.  This is too\nstrict.  This patch removes that requirement.  Now you can pass arbitrary\nexpressions as the name expression.\n\nWith this patch we also produce a more helpful and specific error message.\n\nI'm doing this as I want to use `fc_pp_unique_id` as the name.\n\nArguably it would be easier to understand if instead of using `name` and\n`sni` for `attach-srv` and `server` rules it used the same term in both\nplaces - like \"conn-pool-key\" or something.  That would make it clear that\nthe two must match.  But it's too late to change that now.","shortMessageHtmlLink":"MINOR: config: rhttp: Don't require SSL when attach-srv name parsing"}},{"before":null,"after":"551b4317b400c959a4228b06f88e7db1e7694521","ref":"refs/heads/more-flexible-rhttp-v2","pushedAt":"2024-05-08T10:37:52.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"wmanley","name":"William Manley","path":"/wmanley","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/494659?s=80&v=4"},"commit":{"message":"MINOR: config: rhttp: Don't require SSL when attach-srv name parsing\n\nAn attach-srv config line usually looks like this:\n\n    tcp-request session attach-srv be/srv name ssl_c_s_dn(CN)\n\nwhile a rhttp server line usually looks like this:\n\n    server srv rhttp@ sni req.hdr(host)\n\nThe server sni argument is used as a key for looking up connection in the\nconnection pool.  The attach-srv name argument is used as a key for\ninserting connections into the pool.  For it to work correctly they must\nmatch.  There was a check that either both the attach-srv and server\nprovide that key or neither does.\n\nIt also checked that SSL and SNI was activated on the server.  This is too\nstrict.  This patch removes that requirement.  Now you can pass arbitrary\nexpressions as the name expression.\n\nWith this patch we also produce a more helpful and specific error message.\n\nI'm doing this as I want to use `fc_pp_unique_id` as the name.\n\nArguably it would be easier to understand if instead of using `name` and\n`sni` for `attach-srv` and `server` rules it used the same term in both\nplaces - like \"conn-pool-key\" or something.  That would make it clear that\nthe two must match.  But it's too late to change that now.","shortMessageHtmlLink":"MINOR: config: rhttp: Don't require SSL when attach-srv name parsing"}},{"before":null,"after":"12d28939d6a52bb3e7457fb31a4127eb2634449a","ref":"refs/heads/more-flexible-rhttp","pushedAt":"2024-04-30T08:51:55.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"wmanley","name":"William Manley","path":"/wmanley","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/494659?s=80&v=4"},"commit":{"message":"MINOR: config: rhttp: Don't require SSL when attach-srv name parsing\n\nAn attach-srv config line usually looks like this:\n\n    tcp-request session attach-srv be/srv name ssl_c_s_dn(CN)\n\nwhile a rhttp server line usually looks like this:\n\n    server srv rhttp@ sni req.hdr(host)\n\nThe server sni argument is used as a key for looking up connection in the\nconnection pool.  The attach-srv name argument is used as a key for\ninserting connections into the pool.  For it to work correctly they must\nmatch.  There was a check that either both the attach-srv and server\nprovide that key or neither does.\n\nIt also checked that SSL was in use on the server.  This is too strict.\nThis patch removes that requirement.  Without this patch you'd get an error\nif you passed anything other than \"ssl_c_s_dn(CN)\" as the name expression.\nNow you can pass arbitrary expressions.\n\nWith this patch we also produce a more helpful and specific error message.\n\nI'm doing this as I want to use `fc_pp_unique_id` as the name.\n\nArguably it would be easier to understand if instead of using `name` and\n`sni` for `attach-srv` and `server` rules it used the same term in both\nplaces - like \"conn-pool-key\" or something.  That would make it clear that\nthe two must match.  But it's too late to change that now.","shortMessageHtmlLink":"MINOR: config: rhttp: Don't require SSL when attach-srv name parsing"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEXfUFvAA","startCursor":null,"endCursor":null}},"title":"Activity · stb-tester/haproxy"}