e51ae5ce66
conn_get_ssl_sock_ctx() retrieves the ssl_sock_ctx of a connection by calling conn->xprt->get_ssl_sock_ctx(). Only ssl_sock implements this method, and it returns conn->xprt_ctx. This works because for every existing XPRT combination the SSL layer is the topmost one: even xprt_handshake (SOCKS4, PROXY, NetScaler CIP) is installed *below* ssl_sock, so conn->xprt keeps pointing to ssl_sock. Qmux changes this assumption: xprt_qmux is stacked *on top of* ssl_sock and keeps the SSL layer as its lower layer to exchange the QUIC transport parameters over the established TLS stream. During the qmux handshake, conn->xprt therefore points to xprt_qmux, which does not implement get_ssl_sock_ctx(), making conn_get_ssl_sock_ctx() return NULL for the whole connection, affecting every caller that inspects the SSL layer (sample fetches, logging, ssl_sock_infocbk(), ...). The visible consequence was a crash: when the peer sends a TLS alert during the qmux handshake, the SSL library calls ssl_sock_infocbk(), which recovers a valid connection but a NULL ctx, rightfully triggering the "BUG_ON(!ctx)" early in the function. This patch implements xprt_qmux_get_ssl_sock_ctx() so that it returns the ssl_sock_ctx of the lower layer when it is the SSL layer, just like ssl_sock_get_ctx() does. conn_get_ssl_sock_ctx() then works again for all callers while the qmux handshake is in progress. After the handshake, conn->xprt is restored to the SSL layer so nothing else changes. This should be backported to 3.4. |
||
|---|---|---|
| .github | ||
| addons | ||
| admin | ||
| dev | ||
| doc | ||
| examples | ||
| include | ||
| reg-tests | ||
| scripts | ||
| src | ||
| tests | ||
| .gitattributes | ||
| .gitignore | ||
| .mailmap | ||
| .travis.yml | ||
| BRANCHES | ||
| BSDmakefile | ||
| CHANGELOG | ||
| CONTRIBUTING | ||
| INSTALL | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| README.md | ||
| SUBVERS | ||
| VERDATE | ||
| VERSION | ||
HAProxy
HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
Installation
The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.
Getting help
The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.
The issue tracker is only for bug reports or feature requests.
Documentation
The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.
Please refer to the following files depending on what you're looking for:
- INSTALL for instructions on how to build and install HAProxy
- BRANCHES to understand the project's life cycle and what version to use
- LICENSE for the project's license
- CONTRIBUTING for the process to follow to submit contributions
The more detailed documentation is located into the doc/ directory:
- doc/intro.txt for a quick introduction on HAProxy
- doc/configuration.txt for the configuration's reference manual
- doc/lua.txt for the Lua's reference manual
- doc/SPOE.txt for how to use the SPOE engine
- doc/network-namespaces.txt for how to use network namespaces under Linux
- doc/management.txt for the management guide
- doc/regression-testing.txt for how to use the regression testing suite
- doc/peers.txt for the peers protocol reference
- doc/coding-style.txt for how to adopt HAProxy's coding style
- doc/internals for developer-specific documentation (not all up to date)
License
HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.