Thursday, 2021-06-17

spateljohnsom morning14:05
spatelDo you know about SSLv3 ?14:05
johnsomAre you spying on me and know I'm in early morning training again today?14:05
spatelIn my HAproxy i am seeing lots of SSL handshake issue and after doing tcpdump found all SSLv3 having issue14:06
johnsomI do know a lot about TLS/SSL.14:06
johnsomCan you provide the errors ( if the content is larger) or the pcap file?14:08
spateljohnsom -
spatelwe have so many client running windows 7 and look like they have trying to use SSLv3 to talk to my haproxy 14:33
spateli believe haproxy default not allow SSLv3 because of POODL attack 14:33
spateljohnsom i know SSLv3 is not secure but try to enable it to debug this issue to find out if client able to access or not14:45
johnsomOk, yeah, one second14:48
johnsomspatel which version of haproxy are you running?14:49
spatel2.4 latest14:49
spatelI want to enable SSLv3 for few minute to prove to my client its SSLv3 issue :)14:50
spatelbut haproxy not letting me enable haproxy14:50
spatelit does has library support of SSLv314:51
johnsomYeah, so you will need to set "ssl-min-ver SSLv3" in global   ssl-default-bind-options14:51
spateldoing it 14:53
spatelthat works! :)14:54
spatellet me test 14:54
spateljohnsom thank you so much :)15:04
spatelmy customer able to access application now that means they are all using SSLv3 15:04
spatelThis is china 15:04
spatelso lots of people using Windows 715:04
johnsomYeah, it may be some regional limitations.15:04
johnsomBTW, HAproxy has a slack channel and an IRC channel on if you need direct HAProxy support.15:05
spateli will sure join that 15:34
nicolasbockHi! Can I query Octavia to find out why a loadbalancer is PENDING_UPDATE? I have only incomplete logs and see messages such as `2021-06-16 06:31:48.599 14368 WARNING octavia.controller.healthmanager.health_manager [-] Load balancer 10e65047-56ec-4afb-b047-411411b6d313 is in immutable state PENDING_UPDATE. Skipping failover.`19:06
johnsomHi neighbor. We don't go into status details via the API, just like designate and neutron don't.  The details are in the worker of health manager logs.19:08
nicolasbockHi :)19:09
johnsomI would check that one of the controllers isn't actively working on that load balancer (PENDING status means a controller has ownership), as it is likely retrying some action against another service that is failing (nova, neutron, etc.)19:09
johnsomAll code paths lead back to either ACTIVE or ERROR once the retry timeouts expire.19:10
nicolasbockOk, good to know19:10
nicolasbockAh. So I would need the logs to say19:10
johnsomYeah, so first step is to check the controller logs to see which controller is retrying the action on that LB.19:11
opendevreviewMerged openstack/octavia stable/ussuri: Explicitely set nodeset to Bionic-based
opendevreviewMerged openstack/octavia stable/ussuri: Make /healthcheck cache results
opendevreviewMerged openstack/octavia stable/ussuri: Fix using subnets with host_routes in amphorav2 driver
johnsomnicolasbock Ping us back if you don't find one of the controllers scrolling retry logs.19:16
opendevreviewMerged openstack/octavia stable/ussuri: Validate user access to vip_subnet_id when creating a LB
opendevreviewMerged openstack/octavia stable/ussuri: Fix devstack cleanup when using amphorav2
opendevreviewMerged openstack/octavia stable/ussuri: Fix rsyslog configuration when disabling logs
opendevreviewMerged openstack/octavia stable/ussuri: Fix task_flow.max_workers with persistence in amphorav2
opendevreviewMerged openstack/octavia stable/ussuri: Optimize CountPoolChildrenForQuota task in amphorav2
opendevreviewMerged openstack/octavia stable/ussuri: Fix comment for the ca_certificates_file opt
opendevreviewMerged openstack/octavia stable/ussuri: Fix empty Batch Member Update to unlock objects
johnsomWhat? The backport backlog finally merging?22:42
rm_workyeah :D22:47
rm_worksuch merges22:47

Generated by 2.17.2 by Marius Gedminas - find it at!