mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-17 03:00:43 +00:00
1fe0fad88b
The ssl_bc_hsk_err sample fetch will need to raise more errors than only handshake related ones hence its renaming to a more generic ssl_bc_err. This patch is required because some handshake failures that should have been caught by this fetch (verify error on the server side for instance) were missed. This is caused by a change in TLS1.3 in which the 'Finished' state on the client is reached before its certificate is sent (and verified) on the server side (see the "Protocol Overview" part of RFC 8446). This means that the SSL_do_handshake call is finished long before the server can verify and potentially reject the client certificate. The ssl_bc_hsk_err will then need to be expanded to catch other types of errors. This change is also applied to the frontend fetches (ssl_fc_hsk_err becomes ssl_fc_err) and to their string counterparts. |
||
---|---|---|
.. | ||
design-thoughts | ||
internals | ||
lua-api | ||
51Degrees-device-detection.txt | ||
acl.fig | ||
architecture.txt | ||
close-options.txt | ||
coding-style.txt | ||
configuration.txt | ||
cookie-options.txt | ||
DeviceAtlas-device-detection.txt | ||
gpl.txt | ||
haproxy.1 | ||
intro.txt | ||
lgpl.txt | ||
linux-syn-cookies.txt | ||
lua.txt | ||
management.txt | ||
netscaler-client-ip-insertion-protocol.txt | ||
network-namespaces.txt | ||
peers-v2.0.txt | ||
peers.txt | ||
proxy-protocol.txt | ||
queuing.fig | ||
regression-testing.txt | ||
seamless_reload.txt | ||
SOCKS4.protocol.txt | ||
SPOE.txt | ||
WURFL-device-detection.txt |