Closed yosifkit closed 7 months ago
This comes with a bump to OpenSSL 3, which might cause some breakage, so we might want to pause and consider / solicit opinions. :thinking:
which might cause some breakage,
Not breakage, but a steep loss of performance that is likely unacceptable to many users. See https://www.mail-archive.com/haproxy@formilux.org/msg43306.html (and basically the whole thread).
Also Ctrl+F "OpenSSL" and "wolfSSL" in this email: https://www.mail-archive.com/haproxy@formilux.org/msg43600.html
Ah and one more thing: OpenSSL 3 is only officially supported as of HAProxy 2.6.x, as per the list on haproxy.org:
version 2.6 : QUIC/HTTP3, OpenSSL 3.0, better usability, improved code accessibility and maintenance
FYI: alpine image already did the openssl3 bump with https://github.com/docker-library/haproxy/commit/95fe4acadbc54495913fc1361daedfc65df2a3a6 (3.16 vs 3.17)
Yeah, oops -- that was a while ago though (a full year now).
According to https://github.com/haproxy/haproxy/issues/1276, the OpenSSL 3 support was backported to the 2.4 line, so that explains that (and we pin 2.0 to Debian Buster and Alpine 3.16 already), but that doesn't explain why 2.2 appears to be just fine. :shrug:
I guess we should probably revert 2.2 to Alpine 3.16, pin it to Debian Bullseye (to be on the safe / "upstream supported" side), and then finally do this update.
(first, a rebase)
Leaving
2.0
on Debian buster: https://github.com/docker-library/haproxy/pull/167