HAProxy - Load balancer
Find a file
Willy Tarreau 95ac5fe4a8 MEDIUM: ssl_sock: always use the SSL's server name, not the one from the tid
In ssl_sock_set_servername(), we're retrieving the current server name
from the current thread, hoping it will not have changed. This is a
bit dangerous as strictly speaking it's not easy to prove that no other
connection had to use one between the moment it was retrieved in
ssl_sock_init() and the moment it's being read here. In addition, this
forces us to maintain one session per thread while this is not the real
need, in practice we only need one session per SNI. And the current model
prevents us from sharing sessions between threads.

This had been done in 2.5 via commit e18d4e828 ("BUG/MEDIUM: ssl: backend
TLS resumption with sni and TLSv1.3"), but as analyzed with William, it
turns out that a saner approach consists in keeping the call to
SSL_get_servername() there and instead to always assign the SNI to the
current SSL context via SSL_set_tlsext_host_name() immediately when the
session is retreived. This way the session and SNI are consulted atomically
and the host name is only checked from the session and not from possibly
changing elements.

As a bonus the rdlock that was added by that commit could now be removed,
though it didn't cost much.
2023-08-31 08:49:15 +02:00
.github CI: fedora: fix "dnf" invocation syntax 2023-08-25 09:31:09 +02:00
addons MINOR: tree-wide: use free_acl_cond() where relevant 2023-05-11 15:37:04 +02:00
admin MINOR: acme.sh: add the deploy script for acme.sh in admin directory 2023-04-26 17:32:15 +02:00
dev DEV: flags/show-sess-to-flags: properly decode fd.state 2023-08-14 08:48:49 +02:00
doc MINOR: sample: Add common TLV types as constants for fc_pp_tlv 2023-08-29 15:32:02 +02:00
examples EXAMPLES: maintain haproxy 2.8 retrocompatibility for lua mailers script 2023-07-11 16:04:22 +02:00
include MINOR: sample: Refactor fc_pp_authority by wrapping the generic TLV fetch 2023-08-29 15:31:51 +02:00
reg-tests MEDIUM: sample: Add fetch for arbitrary TLVs 2023-08-29 15:31:28 +02:00
scripts SCRIPTS: git-show-backports: automatic ref and base detection with -m 2023-08-14 13:12:56 +02:00
src MEDIUM: ssl_sock: always use the SSL's server name, not the one from the tid 2023-08-31 08:49:15 +02:00
tests TESTS: add a unit test for one_among_mask() 2022-06-21 20:29:57 +02:00
.cirrus.yml CI: cirrus-ci: bump FreeBSD image to 13-1 2023-04-23 09:44:53 +02:00
.gitattributes MINOR: Configure the cpp userdiff driver for *.[ch] in .gitattributes 2021-02-22 18:17:57 +01:00
.gitignore CONTRIB: Add vi file extensions to .gitignore 2023-06-02 18:14:34 +02:00
.mailmap DOC: update Tim's address in .mailmap 2021-09-16 09:14:14 +02:00
.travis.yml CI: travis-ci: temporarily disable arm64 builds 2021-08-07 07:28:15 +02:00
BRANCHES DOC: fix some spelling issues over multiple files 2021-01-08 14:53:47 +01:00
BSDmakefile BUILD: makefile: commit the tiny FreeBSD makefile stub 2023-05-24 17:17:36 +02:00
CHANGELOG [RELEASE] Released version 2.9-dev4 2023-08-25 17:57:22 +02:00
CONTRIBUTING CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
INSTALL DOC: install: Document how to build a limited support for QUIC 2023-07-21 20:27:13 +02:00
LICENSE LICENSE: add licence exception for OpenSSL 2012-09-07 13:52:26 +02:00
MAINTAINERS CLEANUP: assorted typo fixes in the code and comments 2022-11-30 14:02:36 +01:00
Makefile MEDIUM: capabilities: enable support for Linux capabilities 2023-08-29 11:11:50 +02:00
README DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
SUBVERS BUILD: use format tags in VERDATE and SUBVERS files 2013-12-10 11:22:49 +01:00
VERDATE [RELEASE] Released version 2.9-dev4 2023-08-25 17:57:22 +02:00
VERSION [RELEASE] Released version 2.9-dev4 2023-08-25 17:57:22 +02:00

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)