mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-09-21 22:01:31 +02:00
81f118cec0
QUIC relies on SSL_do_hanshake() to be able to validate handshake. As this function is computation heavy, it is since 2.9 called only under TASK_HEAVY. This has been implemented by the following patch : 94d20be1388023bff36d795f501571adfefe8c75 MEDIUM: quic: Heavy task mode during handshake Instead of handling CRYPTO frames immediately during reception, this patch delays the process to run under TASK_HEAVY tasklet. A frame copy is stored in qel.rx.crypto_frms list. However, this frame still reference the receive buffer. If the receive buffer is cleared before the tasklet is rescheduled, it will point to garbage data, resulting in haproxy decryption error. This happens if a fair amount of data is received constantly to preempt the quic_conn tasklet execution. This bug can be reproduced with a fair amount of clients. It is exhibited by 'show quic full' which can report connections blocked on handshake. Using the following commands result in h2load non able to complete the last connections. $ h2load --alpn-list h3 -t 8 -c 800 -m 10 -w 10 -n 8000 "https://127.0.0.1:20443/?s=10k" Also, haproxy QUIC listener socket mode was active to trigger the issue. This forces several connections to share the same reception buffer, rendering the bug even more plausible to occur. It should be possible to reproduce it with connection socket if increasing the clients amount. To fix this bug, define a new buffer under quic_cstream. It is used exclusively to copy CRYPTO data for in-order frame if ncbuf is empty. This ensures data remains accessible even if receive buffer is cleared. Note that this fix is only a temporary step. Indeed, a ncbuf is also already used for out-of-order data. It should be possible to unify its usage for both in and out-of-order data, rendering this new buffer instance unnecessary. In this case, several unneeded elements will become obsolete such as qel.rx.crypto_frms list. This will be done in a future refactoring patch. This must be backported up to 2.9.
The HAProxy documentation has been split into a number of different files for ease of use. Please refer to the following files depending on what you're looking for : - INSTALL for instructions on how to build and install HAProxy - BRANCHES to understand the project's life cycle and what version to use - LICENSE for the project's license - CONTRIBUTING for the process to follow to submit contributions The more detailed documentation is located into the doc/ directory : - doc/intro.txt for a quick introduction on HAProxy - doc/configuration.txt for the configuration's reference manual - doc/lua.txt for the Lua's reference manual - doc/SPOE.txt for how to use the SPOE engine - doc/network-namespaces.txt for how to use network namespaces under Linux - doc/management.txt for the management guide - doc/regression-testing.txt for how to use the regression testing suite - doc/peers.txt for the peers protocol reference - doc/coding-style.txt for how to adopt HAProxy's coding style - doc/internals for developer-specific documentation (not all up to date)