tianon
commented
1 year ago This comes with a bump to OpenSSL 3, which might cause some breakage, so we might want to pause and consider / solicit opinions. :thinking:
Closed yosifkit closed 7 months ago
tianon
commented
1 year ago This comes with a bump to OpenSSL 3, which might cause some breakage, so we might want to pause and consider / solicit opinions. :thinking:
TimWolla
commented
1 year ago which might cause some breakage,
Not breakage, but a steep loss of performance that is likely unacceptable to many users. See https://www.mail-archive.com/haproxy@formilux.org/msg43306.html (and basically the whole thread).
TimWolla
commented
1 year ago Also Ctrl+F "OpenSSL" and "wolfSSL" in this email: https://www.mail-archive.com/haproxy@formilux.org/msg43600.html
TimWolla
commented
1 year ago Ah and one more thing: OpenSSL 3 is only officially supported as of HAProxy 2.6.x, as per the list on haproxy.org:
version 2.6 : QUIC/HTTP3, OpenSSL 3.0, better usability, improved code accessibility and maintenance
Darlelet
commented
11 months ago FYI: alpine image already did the openssl3 bump with https://github.com/docker-library/haproxy/commit/95fe4acadbc54495913fc1361daedfc65df2a3a6 (3.16 vs 3.17)
tianon
commented
7 months ago Yeah, oops -- that was a while ago though (a full year now).
According to https://github.com/haproxy/haproxy/issues/1276, the OpenSSL 3 support was backported to the 2.4 line, so that explains that (and we pin 2.0 to Debian Buster and Alpine 3.16 already), but that doesn't explain why 2.2 appears to be just fine. :shrug:
I guess we should probably revert 2.2 to Alpine 3.16, pin it to Debian Bullseye (to be on the safe / "upstream supported" side), and then finally do this update.
tianon
commented
7 months ago (first, a rebase)
Leaving
2.0on Debian buster: https://github.com/docker-library/haproxy/pull/167