Problem with option tune.ssl.force-private-cache

Discussion:

Maciej Małeta

2018-09-24 12:41:25 UTC

Hi,

i have problem with my haproxy 1.8.14
when i want start it, i
get error: tune.ssl.force-private-cache' cannot handle unexpected
argument 'false'
in version 1.5 it's work fine
what is wrong in 'false'
option?
I would be very grateful for your help.

Mapet

Lukas Tribus

2018-09-24 13:35:56 UTC

Permalink

Hello,

Post by Maciej MaÅeta
Hi,
i have problem with my haproxy 1.8.14
when i want start it, i get error: tune.ssl.force-private-cache' cannot handle unexpected argument 'false'
in version 1.5 it's work fine
what is wrong in 'false' option?
I would be very grateful for your help.

tune.ssl.force-private-cache is an option that does not accept any
arguments, including true or false. Unfortunately, unknown additional
arguments are silently ignored in haproxy <= 1.5.

This was fixed in haproxy 1.6; which correctly rejects this invalid
configuration.

What that means is that by configuring:
tune.ssl.force-private-cache false

You actually enabled private cache in haproxy 1.5, causing SSL cache
not to be shared between processes. However, this obviously only
affects you when you are using nbproc > 1.

I can see why the documentation about tune.ssl.force-private-cache
would be confusing, as it talks about being a boolean (which is
correct, internally, but doesn't belong in the documentation and only
makes users think they need to provide a boolean). I will send a patch
to replace "boolean" with "option" in the documentation, that should
clear up this misunderstanding.

Regards,
Lukas

Maciej Małeta

2018-09-25 07:14:37 UTC

Permalink

Hi,

On Mon, 24 Sep 2018 15:35:56 +0200, Lukas Tribus wrote:
Hello,

Post by Lukas Tribus

Hi,

i have problem with my haproxy 1.8.14 when i want start it, i get error:
tune.ssl.force-private-cache' cannot handle unexpected argument 'false'
in version 1.5 it's work fine what is wrong in 'false' option? I would
be very grateful for your help.

Post by Lukas Tribus
tune.ssl.force-private-cache is an

option that does not accept any

Post by Lukas Tribus
arguments, including true or false.

Unfortunately, unknown additional

Post by Lukas Tribus
arguments are silently ignored in

haproxy 1.

Post by Lukas Tribus
I can see why the documentation about

tune.ssl.force-private-cache

Post by Lukas Tribus
would be confusing, as it talks about

being a boolean (which is

Post by Lukas Tribus
correct, internally, but doesn't belong in

the documentation and only

Post by Lukas Tribus
makes users think they need to provide a

boolean). I will send a patch

Post by Lukas Tribus
to replace "boolean" with "option" in

the documentation, that should

Post by Lukas Tribus
clear up this misunderstanding.

Regards,

Post by Lukas Tribus
Lukas

Thank you very much, now i know how to use it.
Maciej

Links:
------
[1] mailto:***@inwencja.net