From: Lucas Gabriel Vuotto <lucas@sexy.is>
Subject: Re: WIP UPDATE net/haproxy 3.0.0
To: Theo Buehler <tb@theobuehler.org>
Cc: ports@openbsd.org, Daniel Jakots <obsd@chown.me>
Date: Thu, 30 May 2024 21:09:35 +0000

On Thu, May 30, 2024 at 08:48:29PM GMT, Theo Buehler wrote:
> Does this still happen if you apply this on top (which will be a noop
> once we bump the libressl version to 4.0)?
> 
> Index: include/haproxy/quic_tls.h
> --- include/haproxy/quic_tls.h.orig
> +++ include/haproxy/quic_tls.h
> @@ -140,7 +140,7 @@ static inline const EVP_CIPHER *tls_aead(const SSL_CIP
>  		return EVP_aes_128_gcm();
>  	case TLS1_3_CK_AES_256_GCM_SHA384:
>  		return EVP_aes_256_gcm();
> -#if !defined(OPENSSL_IS_AWSLC) && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x4000000fL)
> +#if !defined(OPENSSL_IS_AWSLC)
>  	/* WT: LibreSSL has an issue with CHACHA20 running in-place till 3.9.2
>  	 *     included, but the fix is already identified and will be merged
>  	 *     into next major version. Given that on machines without AES-NI
> 

Indeed, this gets HTTP/3 rolling. (Took quite some time testing because
I don't understand how desktop browsers do HTTP/3. I'm p sure I still
don't, but hey--my Grafana now loads over HTTP/3... *some times*).

Thanks for the prompt reply, Theo!

Diff updated with this patch. Better / correct patch comment suggestions
are more than welcome.


diff 74dcff6cd6dd2e62a28d3ab1da574df080129e8e 0b0ecc870da4ee36832bc2fff07632a8d7861299
commit - 74dcff6cd6dd2e62a28d3ab1da574df080129e8e
commit + 0b0ecc870da4ee36832bc2fff07632a8d7861299
blob - b5cddc3eeab11bb6bf999bb5911687342fb8b1e4
blob + 4b2fc6d50a696cd7f95e51c2ced4bdc76533d65a
--- net/haproxy/Makefile
+++ net/haproxy/Makefile
@@ -1,6 +1,6 @@
 COMMENT =	reliable, high performance TCP/HTTP load balancer
 
-DISTNAME =	haproxy-2.8.9
+DISTNAME =	haproxy-3.0.0
 CATEGORIES =	net www
 HOMEPAGE =	https://www.haproxy.org/
 MAINTAINER =	Daniel Jakots <obsd@chown.me>
@@ -12,19 +12,12 @@ WANTLIB +=	c crypto pcre2-8 pcre2-posix pthread ssl z
 
 DEBUG_PACKAGES = ${BUILD_PACKAGES}
 
-SITES =		${HOMEPAGE}/download/2.8/src/
+SITES =		${HOMEPAGE}/download/3.0/src/
 
-HAPROXYCONF =	${SYSCONFDIR}/haproxy
-HAPROXYSTATE =	/var/haproxy
-HAPROXYUID =	604
-HAPROXYGID =	604
-SUBST_VARS =	HAPROXYCONF HAPROXYSTATE \
-		HAPROXYUID HAPROXYGID
-
 USE_GMAKE =	Yes
 MAKE_FLAGS +=	CPU_CFLAGS="${CFLAGS}" LDFLAGS="${LDFLAGS}"
 MAKE_FLAGS +=	CC="${CC}" LD="${CC}" TARGET="openbsd"
-MAKE_FLAGS +=	USE_OPENSSL=1 USE_PCRE2=1 USE_QUIC=1 USE_ZLIB=1 V=1
+MAKE_FLAGS +=	USE_OPENSSL=1 USE_PCRE2=1 USE_PROMEX=1 USE_QUIC=1 USE_ZLIB=1 V=1
 MAKE_FLAGS +=	USE_LIBATOMIC=
 
 FAKE_FLAGS +=	DOCDIR="${PREFIX}/share/doc/haproxy"
blob - f9c70c08d84f0653a75d3a3d505c893f4b840e9c
blob + a1b3a2860f26f5acca317db26709004389ab6e51
--- net/haproxy/distinfo
+++ net/haproxy/distinfo
@@ -1,2 +1,2 @@
-SHA256 (haproxy-2.8.9.tar.gz) = eoIUePNvhHYH9RpR6A9PiQw3r0gR1gQ45/Y3g/Z1kv8=
-SIZE (haproxy-2.8.9.tar.gz) = 4383096
+SHA256 (haproxy-3.0.0.tar.gz) = Wq2XQWIW0s2d0hLrZ0g5xAzTh/YPvEsT1+o/HlZkqBQ=
+SIZE (haproxy-3.0.0.tar.gz) = 4677659
blob - a43fe95d947d035d59d2a49a4d8fbc888a10bc4d
blob + 99030a2bb355b7a75851937ff393f07179241d9b
--- net/haproxy/files/haproxy.cfg
+++ net/haproxy/files/haproxy.cfg
@@ -2,8 +2,8 @@ global
 	log 127.0.0.1	local0 debug
 	maxconn 1024
 	chroot /var/haproxy
-	uid 604
-	gid 604
+	user _haproxy
+	group _haproxy
 	daemon
 	pidfile	/var/run/haproxy.pid
 
blob - /dev/null
blob + 248415d196379cd4cd6dfb260f12422c8a2aa45b (mode 644)
--- /dev/null
+++ net/haproxy/patches/patch-include_haproxy_quic_tls_h
@@ -0,0 +1,17 @@
+-current works correctly with in-place ChaCha20-Poly1305. Without this,
+some clients may receive ChaCha20-Poly1305 in the handshake but won't
+be able to use it: at least curl returns "Weird server reply". To be
+dropped after LibreSSL 4.
+
+Index: include/haproxy/quic_tls.h
+--- include/haproxy/quic_tls.h.orig
++++ include/haproxy/quic_tls.h
+@@ -140,7 +140,7 @@ static inline const EVP_CIPHER *tls_aead(const SSL_CIP
+ 		return EVP_aes_128_gcm();
+ 	case TLS1_3_CK_AES_256_GCM_SHA384:
+ 		return EVP_aes_256_gcm();
+-#if !defined(OPENSSL_IS_AWSLC) && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x4000000fL)
++#if !defined(OPENSSL_IS_AWSLC)
+ 	/* WT: LibreSSL has an issue with CHACHA20 running in-place till 3.9.2
+ 	 *     included, but the fix is already identified and will be merged
+ 	 *     into next major version. Given that on machines without AES-NI
blob - 16e125964bb7859239dcd70c42d51055fa8d313e
blob + 80afa917bba6891b62364c489a3583bd15a841e4
--- net/haproxy/pkg/PLIST
+++ net/haproxy/pkg/PLIST
@@ -1,10 +1,10 @@
-@newgroup _haproxy:${HAPROXYGID}
-@newuser _haproxy:${HAPROXYUID}:_haproxy::HAProxy Daemon:/var/haproxy:/sbin/nologin
+@newgroup _haproxy:604
+@newuser _haproxy:604:_haproxy::HAProxy Daemon:${LOCALSTATEDIR}/haproxy:/sbin/nologin
 @rcscript ${RCDIR}/haproxy
 @man man/man1/haproxy.1
 @bin sbin/haproxy
-@sample ${HAPROXYCONF}/
-@sample ${HAPROXYSTATE}/
+@sample ${SYSCONFDIR}/haproxy/
+@sample ${LOCALSTATEDIR}/haproxy/
 share/doc/haproxy/
 share/doc/haproxy/51Degrees-device-detection.txt
 share/doc/haproxy/DeviceAtlas-device-detection.txt
@@ -29,7 +29,7 @@ share/examples/haproxy/
 share/examples/haproxy/basic-config-edge.cfg
 share/examples/haproxy/content-sw-sample.cfg
 share/examples/haproxy/haproxy.cfg
-@sample ${HAPROXYCONF}/haproxy.cfg
+@sample ${SYSCONFDIR}/haproxy/haproxy.cfg
 share/examples/haproxy/option-http_proxy.cfg
 share/examples/haproxy/quick-test.cfg
 share/examples/haproxy/socks4.cfg
blob - a12dbcca94f88c66db215d8691031ece620e5dfb
blob + 7552730c88bf774e6cf73e3503887d62b69f5fea
--- net/haproxy/pkg/haproxy.rc
+++ net/haproxy/pkg/haproxy.rc
@@ -1,7 +1,7 @@
 #!/bin/ksh
 
 daemon="${TRUEPREFIX}/sbin/haproxy"
-daemon_flags="-f ${HAPROXYCONF}/haproxy.cfg"
+daemon_flags="-f ${SYSCONFDIR}/haproxy/haproxy.cfg"
 
 . /etc/rc.d/rc.subr