[Pkg-haproxy-maintainers] Bug#776384: haproxy: Loading order of SSL certificates is unpredictable

Raphaël Enrici raphael at root-42.com
Tue Jan 27 14:54:23 UTC 2015

Package: haproxy
Version: 1.5.8-1~bpo70+1
Severity: normal
Tags: patch upstream

Dear Maintainer,

HAproxy currently uses readdir() function to list the directory
where the SSL certificates are stored.
As readdir() does not guarantee any order in the listing (neither
alphabetical nor time ordered one), this can lead to a situation
where two members of an active/passive HAProxy "cluster" behave
differently without any information about it resulting in misbehaviour
for non SNI aware devices.

Based on the report you can find here[1] a patch has been provided
by Cyril Bonté and accepted upstream. You can find this patch
here[2]. It would be great if you could include it before the next
jessie is released. If not possible at all because of the freeze, any
future inclusion of this patch before the next HAProxy stable release
would be welcome :)

Please note, that until patched, the workaround exists and consists
in forcing the correct default certificate to be loaded in the bind

frontend bla
  bind A.B.C.D:444 ssl crt /etc/haproxy/ssl/my-default-certificate.pem
crt /etc/haproxy/ssl/ ...

Thanks and best regards,
P.S. I'm reporting the bug on the backport package but it definitely
concerns all HAProxy versions currently in Debian as it is an upstream
related "bug".
[1] http://marc.info/?l=haproxy&m=142107911132411&w=2
[2] http://marc.info/?l=haproxy&m=142214143425201&w=2

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'),
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/24 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages haproxy depends on:
ii  adduser              3.113+nmu3
ii  init-system-helpers  1.18~bpo70+1
ii  libc6                2.13-38+deb7u6
ii  libpcre3             1:8.30-5
ii  libssl1.0.0          1.0.1e-2+deb7u13
ii  zlib1g               1:1.2.7.dfsg-13

haproxy recommends no packages.

Versions of packages haproxy suggests:
pn  haproxy-doc  <none>
pn  vim-haproxy  <none>

-- Configuration Files:
/etc/haproxy/haproxy.cfg changed [not included]

-- debconf-show failed

More information about the Pkg-haproxy-maintainers mailing list