Hi, HAProxy 3.2.4 was released on 2025/08/13. It added 66 new commits after version 3.2.3. Even though it's still the summer vacation here, it contains a fair enough number of changes. Here is a summary of the main ones.
For the SSL stack, a regression in certificate selection is fixed which could cause issue if haproxy was configured with TLS 1.2 as maximum version supported. Early-data support on the backend side is adjusted as it was broken for some time now, as no data could be emitted prior to the handshake completion. Also, a behavior change occurs for dynamic certificates insertion via the CLI. The operation is relaxed as it is not required anymore to specify the certificate directory. This requires extra care though for the user to ensure that the certificate is present accordingly on the filesystem so that it can still be accessed on reload. The HTTP/1 multiplexer is able now to respond with error-files when encountering an early error prior to the stream creation, instead of plain internal errors. The QUIC stack receives several fixes. Since 3.2, it's compatible with OpenSSL 3.5 API. The current release adjusts the haproxy QUIC SSL library interface, as errors were reported with specific distribution/libc flavour. Speaking of distribution, QUIC listeners on FreeBSD were not functional if bound on a specific address. The upper multiplexer layer and HTTP/3 is also improved to now properly deal with HTTP 1xx interim responses. Also related to SSL 0-RTT, the header "Early-data: 1" is now added on requests handled by haproxy as QUIC 0-RTT if the handshake is not yet completed. This is helpful to inform servers that such request should be processed carefully. Finally, an internal change during stream notification mechanism is introduced which is transparent to most users, however if you ever encountered frozen transfers it could be a solution for this. The ACME feature is experimental in the 3.2 branch, so we're still backporting improvements to this branch. We've fixed a number of bugs that were preventing it from working correctly with both the "pebble" and "smallstep" servers. Traces have also been added to display the content of decoded requests and responses from the server, which is very helpful for debugging. We've also implemented additional functionality for the DNS-01 challenge. HAProxy is now able to emit a JSON object containing the challenge token over the "dpapi" sink. The Data Plane API or a third-party tool can read this sink, set up the challenge, and then invoke the acme challenge_ready command via the CLI to continue the ACME process. We now meet the minimum requirements for DNS-01, which means you can now generate wildcards. The httpclient is progressively refined as its usage is becoming more prevalent. Most notably, it is able to deal better with large transfers. It can also now properly handle interim and early HTTP responses. On the LUA side, server iterator usage could cause a crash. Also, read and write events are properly notify when using the socket class to avoid infinite wait when the write side has been blocked earlier. Finally, on the configuration side, the default-path keyword is now properly taken into account by lua-load-per-thread directives. For resolvers, a delay tempo was previously introduced between two connections attemps to a DNS server. However, this could result in an important CPU consumption due to a rescheduling in loop of the connection task. Now, the timer is properly resetted after a successful connection which is enough to solve the issue. Log lines could be badly formatted on specific condition such as the generation of the unique-id fetch via %ID notation. On MacOS a crash is fixed when using master-worker and the system resolver. Many thanks to all the people who contributed to this release. As usual, we encourage everyone to upgrade as soon as possible. And for those who are interested, do not hesitate to look at our development releases as this can give you a taste of the future 3.3 and it is a really valuable help to the developers. ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy-3.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (12): BUG/MEDIUM: mux-quic: ensure Early-data header is set BUG/MEDIUM: h3: do not overwrite interim with final response BUG/MINOR: h3: properly realloc buffer after interim response encoding BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side) MINOR: qmux: change API for snd_buf FIN transmission BUG/MEDIUM: h3: handle interim response properly on FE side MINOR: h3: remove unused outbuf in h3_resp_headers_send() BUG/MINOR: hq-interop: fix FIN transmission BUG/MINOR mux-quic: apply correctly timeout on output pending data BUG/MINOR: mux-quic: ensure close-spread-time is properly applied DOC: list missing global QUIC settings BUG/MEDIUM: mux-quic: adjust wakeup behavior Aurelien DARRAGON (4): BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options BUG/MINOR: hlua: take default-path into account with lua-load-per-thread BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator BUG/MINOR: logs: fix log-steps extra log origins selection Christopher Faulet (17): BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode BUG/MINOR: http-client: Reject any 101-switching-protocols response BUG/MEDIUM: http-client: Drain the request if an early response is received BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM MINOR: h1-htx: Add function to format an HTX message in its H1 representation BUG/MINOR: mux-h1: Use configured error files if possible for early H1 errors BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init CLEANUP: http-client: Remove useless indentation when sending request body BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer David Carlier (2): DOC: deviceatlas build clarifications MINOR: sock: update broken accept4 detection for older hardwares. Frederic Lecaille (3): MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version < 3.5.1 BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5) BUG/MINOR: quic: Wrong source address use on FreeBSD Ilia Shipitsin (1): CLEANUP: acme: fix wrong spelling of "resources" Lukas Tribus (2): DOC: management: fix typo in commit f4f93c56 DOC: config: recommend single quoting passwords Olivier Houchard (3): BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS BUG/MEDIUM: ssl: Fix 0rtt to the server BUG/MEDIUM: ssl: fix build with AWS-LC Remi Tricot-Le Breton (2): CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h BUG/MINOR: init: Initialize random seed earlier in the init process Valentine Krasnobaeva (2): BUG/MINOR: halog: exit with error when some output filters are set simultaneosly BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR William Lallemand (15): BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead BUG/MINOR: acme: allow "processing" in challenge requests MINOR: acme: add ACME to the haproxy -vv feature list MINOR: acme: implement traces BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h MINOR: acme: emit a log for DNS-01 challenge response MINOR: acme: emit the DNS-01 challenge details on the dpapi sink MEDIUM: acme: allow to wait and restart the task for DNS-01 MINOR: acme: update the log for DNS-01 BUG/MINOR: acme: possible integer underflow in acme_txt_record() MEDIUM: acme: use lowercase for challenge names in configuration DOC: management: clarify usage of -V with -c MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory Willy Tarreau (3): BUG/MINOR: listener: really assign distinct IDs to shards BUILD: compat: provide relaxed versions of the MIN/MAX macros BUILD: compat: always set _POSIX_VERSION to ease comparisons --- -- Amaury Denoyelle
