RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-18 09:24:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
haproxy public development tree
20,781 Commits 19 Branches 370 Tags 47 MiB
C 98.1%
Shell 0.9%
Makefile 0.5%
Python 0.2%
Lua 0.1%
3c250cb847
Go to file
Emeric Brun 3c250cb847 Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token" 
This reverts commit 072e774939.

Doing h2load with h3 tests we notice this behavior:

Client ---- INIT no token SCID = a , DCID = A ---> Server (1)
Client <--- RETRY+TOKEN DCID = a, SCID = B    ---- Server (2)
Client ---- INIT+TOKEN SCID = a , DCID = B    ---> Server (3)
Client <--- INIT DCID = a, SCID = C           ---- Server (4)
Client ---- INIT+TOKEN SCID = a, DCID = C     ---> Server (5)

With (5) dropped by haproxy due to token validation.

Indeed the previous patch adds SCID of retry packet sent to the aad
of the token ciphering aad. It was useful to validate the next INIT
packets including the token are sent by the client using the new
provided SCID for DCID as mantionned into the RFC 9000.
But this stateless information is lost on received INIT packets
following the first outgoing INIT packet from the server because
the client is also supposed to re-use a second time the lastest
received SCID for its new DCID. This will break the token validation
on those last packets and they will be dropped by haproxy.

It was discussed there:
https://mailarchive.ietf.org/arch/msg/quic/7kXVvzhNCpgPk6FwtyPuIC6tRk0/

To resume: this is not the role of the server to verify the re-use of
retry's SCID for DCID in further client's INIT packets.

The previous patch must be reverted in all versions where it was
backported (supposed until 2.6)
2023-09-29 09:27:22 +02:00
.github CI: musl: drop shopt in workflow invocation 2023-09-08 19:05:04 +02:00
addons BUG/MINOR: promex: fix backend_agg_check_status 2023-09-12 19:50:17 +02:00
admin MINOR: acme.sh: add the deploy script for acme.sh in admin directory 2023-04-26 17:32:15 +02:00
dev CLEANUP: ring: rename the ring lock "RING_LOCK" instead of "LOGSRV_LOCK" 2023-09-20 21:38:33 +02:00
doc MINOR: support for http-request set-timeout client 2023-09-28 08:49:22 +02:00
examples EXAMPLES: maintain haproxy 2.8 retrocompatibility for lua mailers script 2023-07-11 16:04:22 +02:00
include Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token" 2023-09-29 09:27:22 +02:00
reg-tests MINOR: support for http-request set-timeout client 2023-09-28 08:49:22 +02:00
scripts CI: scripts: add support to build-ssl.sh to download and build AWS-LC 2023-09-06 13:41:36 +02:00
src Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token" 2023-09-29 09:27:22 +02:00
tests Revert "MAJOR: import: update mt_list to support exponential back-off" 2023-09-15 17:13:43 +02:00
.cirrus.yml CI: cirrus-ci: display gdb bt if any 2023-09-22 08:28:30 +02:00
.gitattributes
.gitignore CONTRIB: Add vi file extensions to .gitignore 2023-06-02 18:14:34 +02:00
.mailmap
.travis.yml
BRANCHES
BSDmakefile BUILD: makefile: commit the tiny FreeBSD makefile stub 2023-05-24 17:17:36 +02:00
CHANGELOG [RELEASE] Released version 2.9-dev6 2023-09-22 23:11:31 +02:00
CONTRIBUTING
INSTALL BUILD: ssl: Build with new cryptographic library AWS-LC 2023-09-04 18:19:18 +02:00
LICENSE
MAINTAINERS CLEANUP: assorted typo fixes in the code and comments 2022-11-30 14:02:36 +01:00
Makefile BUILD: ssl: Build with new cryptographic library AWS-LC 2023-09-04 18:19:18 +02:00
README
SUBVERS
VERDATE [RELEASE] Released version 2.9-dev6 2023-09-22 23:11:31 +02:00
VERSION [RELEASE] Released version 2.9-dev6 2023-09-22 23:11:31 +02:00

README 

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)