Bump haproxy version to 3.2.8

[CFN-CI]

Automatic bump from version 2.8.16 to version 3.2.8, downloaded from https://www.haproxy.org/download/3.2/src/haproxy-3.2.8.tar.gz.

After merge, consider releasing a new version of haproxy-boshrelease.

Changelog for HAProxy 3.2.8.

Please also check list of known open bugs for HAProxy 3.2.8.

The developer's summary for this release can be found in the Announcement post for the HAProxy 3.2.8 release.

HAPROXY CHANGELOG between 3.2.8 and 2.8.0

2025/11/07 : 3.2.8
    - BUG/MEDIUM: mt_lists: Avoid el->prev = el->next = el
    - BUG/MEDIUM: applet: Improve again spinning loops detection with the new API
    - BUG/MINOR: stick-tables: properly index string-type keys
    - BUG/MEDIUM: mt_list: Use atomic operations to prevent compiler optims
    - MINOR: applet: do not put SE_FL_WANT_ROOM on rcv_buf() if the channel is empty
    - MINOR: cli: create cli_raw_rcv_buf() from the generic applet_raw_rcv_buf()
    - BUG/MEDIUM: cli: do not return ACKs one char at a time
    - MINOR: backend: srv_queue helper
    - MINOR: backend: srv_is_up converter
    - BUG/MEDIUM: ssl: Crash because of dangling ckch_store reference in a ckch instance
    - DOC: config: slightly clarify the ssl_fc_has_early() behavior
    - MINOR: ssl-sample: add ssl_fc_early_rcvd() to detect use of early data
    - MINOR: http: fix 405,431,501 default errorfile
    - BUG/MINOR: init: Do not close previously created fd in stdio_quiet
    - BUG/MINOR: resolvers: Apply dns-accept-family setting on additional records
    - BUG/MINOR: ssl: returns when SSL_CTX_new failed during init
    - BUG/MINOR: resolvers: ensure fair round robin iteration
    - OPTIM: backend: skip conn reuse for incompatible proxies
    - SCRIPTS: build-ssl: fix rpath in AWS-LC install for openssl and bssl bin
    - BUG/MEDIUM: mux-h1: fix 414 / 431 status code reporting
    - BUG/MEDIUM: mux-h2: make sure not to move a dead connection to idle
    - BUG/MEDIUM: connections: permit to permanently remove an idle conn
    - BUG/MEDIUM: server: close a race around ready_srv when deleting a server
    - BUG/MINOR: acme: wrong dns-01 challenge in the log

2025/10/23 : 3.2.7
    - BUG/MINOR: acme: avoid overflow when diff > notAfter
    - BUG/MINOr: hlua: Fix receive from HTTP applet by properly accounting data
    - BUG/MEDIUM: ssl: take care of second client hello
    - BUG/MINOR: ssl: always clear the remains of the first hello for the second one
    - BUG/MINOR: ssl: leak in ssl-f-use
    - BUG/MINOR: ssl: leak crtlist_name in ssl-f-use
    - BUILD: makefile: disable tail calls optimizations with memory profiling
    - BUG/MEDIUM: apppet: Improve spinning loop detection with the new API
    - BUG/MINOR: sink: retry attempt for sft server may never occur
    - MINOR: debug: add distro name and version in postmortem
    - BUG/MINOR: ssl: Free global_ssl structure contents during deinit
    - BUG/MINOR: ssl: Free key_base from global_ssl structure during deinit
    - BUG/MINOR: ssl: Potential NULL deref in trace macro
    - TESTS: quic: useless param for b_quic_dec_int()
    - BUG/MEDIUM: pools: fix crash on filtered "show pools" output
    - BUG/MINOR: pools: don't report "limited to the first X entries" by default
    - BUG/MAJOR: lb-chash: fix key calculation when using default hash-key id
    - BUILD: ssl: can't build when using -DLISTEN_DEFAULT_CIPHERS
    - BUG/MINOR: quic: too short PADDING frame for too short packets
    - MINOR: quic: restore QUIC_HP_SAMPLE_LEN constant
    - BUG/MEDIUM: stick-tables: Don't forget to dec count on failure.
    - BUG/MINOR: quic: check applet_putchk() for 'show quic' first line
    - DOC: clarify the experimental status for certain features
    - BUG/MEDIUM: threads/config: drop absent threads from thread groups
    - BUG/MEDIUM: mt_list: Make sure not to unlock the element twice
    - BUG/MEDIUM: cli: also free the trash chunk on the error path
    - BUG/MINOR: quic: SSL counters not handled
    - BUG/MAJOR: quic: uninitialized quic_conn_closed struct members
    - BUG/MEDIUM: h3: properly encode response after interim one in same buf
    - MINOR: ncbuf: extract common types
    - MINOR: ncbmbuf: define new ncbmbuf type
    - MINOR: ncbmbuf: implement add
    - MINOR: ncbmbuf: implement iterator bitmap utilities functions
    - MINOR: ncbmbuf: implement ncbmb_data()
    - MINOR: ncbmbuf: implement advance operation
    - MINOR: ncbmbuf: add tests as standalone mode
    - BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling
    - BUG/MEDIUM: build: limit excessive and counter-productive gcc-15 vectorization
    - MINOR: acme: acme-vars allow to pass data to the dpapi sink
    - MINOR: acme: check acme-vars allocation during escaping
    - CLEANUP: acme: acme_will_expire() uses acme_schedule_date()
    - MINOR: acme: provider-name for dpapi sink
    - BUILD: acme: fix false positive null pointer dereference
    - MINOR: acme: implement "reuse-key" option
    - MEDIUM: acme: don't insert acme account key in ckchs_tree
    - BUG/MINOR: acme: memory leak from the config parser
    - MINOR: acme: add the dns-01-record field to the sink
    - MINOR: acme: display the complete challenge_ready command in the logs

2025/10/03 : 3.2.6
    - MINOR: stick-tables: limit the number of visited nodes during expiration
    - OPTIM: stick-tables: exit expiry faster when the update lock is held
    - MINOR: server: Parse sni and pool-conn-name expressions in a dedicated function
    - BUG/MEDIUM: server: Use sni as pool connection name for SSL server only
    - BUG/MINOR: server: Update healthcheck when server settings are changed via CLI
    - BUG/MINOR: tcpcheck: Don't use sni as pool-conn-name for non-SSL connections
    - MINOR: debug: report the process id in warnings and panics
    - DEBUG: stream: count the number of passes in the connect loop
    - MINOR: debug: report the number of loops and ctxsw for each thread
    - MINOR: debug: report the time since last wakeup and call
    - DEBUG: peers: export functions that use locks
    - MINOR: stick-table: permit stksess_new() to temporarily allocate more entries
    - MEDIUM: stick-tables: relax stktable_trash_oldest() to only purge what is needed
    - MEDIUM: stick-tables: give up on lock contention in process_table_expire()
    - MEDIUM: stick-tables: don't wait indefinitely in stktable_add_pend_updates()
    - MEDIUM: peers: don't even try to process updates under contention
    - MEDIUM: stick-table: move process_table_expire() to a single thread
    - MEDIUM: peers: move process_peer_sync() to a single thread
    - MINOR: activity: indicate the number of calls on "show tasks"
    - MINOR: tools: don't emit "+0" for symbol names which exactly match known ones
    - BUG/MEDIUM: resolvers: Properly cache do-resolv resolution
    - BUG/MINOR: resolvers: Restore round-robin selection on records in DNS answers
    - BUG/MEDIUM: resolvers: Test for empty tree when getting a record from DNS answer
    - BUG/MEDIUM: resolvers: Make resolution owns its hostname_dn value
    - BUG/MEDIUM: resolvers: Accept to create resolution without hostname
    - BUG/MEDIUM: resolvers: Wake resolver task up whne unlinking a stream requester
    - OPTIM: sink: reduce contention on sink_announce_dropped()
    - MEDIUM: dns: bind the nameserver sockets to the initiating thread
    - MEDIUM: resolvers: make the process_resolvers() task single-threaded
    - BUG/MINOR: acme/cli: wrong description for "acme challenge_ready"
    - BUG/MEDIUM: stick-tables: Don't let table_process_entry() handle refcnt
    - BUG/MINOR: pools: Fix the dump of pools info to deal with buffers limitations
    - BUILD: halog: misleading indentation in halog.c
    - CI: github: build halog on the vtest job
    - BUG/MINOR: acme: don't unlink from acme_ctx_destroy()
    - BUG/MEDIUM: acme: cfg_postsection_acme() don't init correctly acme sections
    - BUG/MEDIUM: acme: free() of i2d_X509_REQ() with AWS-LC
    - MINOR: sched: let's permit to share the local ctx between threads
    - MINOR: sched: pass the thread number to is_sched_alive()
    - BUG/MEDIUM: wdt: improve stuck task detection accuracy
    - MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI
    - BUG/MINOR: compression: Test payload size only if content-length is specified
    - BUG/MINOR: pattern: Properly flag virtual maps as using samples
    - BUG/MINOR: acme: possible overflow on scheduling computation
    - BUG/MINOR: acme: possible overflow in acme_will_expire()
    - BUG/MINOR: pattern: Fix pattern lookup for map with opt@ prefix
    - BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file
    - MINOR: mt_list: Implement MT_LIST_POP_LOCKED()
    - BUG/MEDIUM: stick-tables: Make sure not to free a pending entry
    - MEDIUM: servers: Schedule the server requeue target on creation
    - MEDIUM: fwlc: Make it so fwlc_srv_reposition works with unqueued srv
    - BUG/MEDIUM: fwlc: Handle memory allocation failures.
    - DOC: config: clarify some known limitations of the json_query() converter
    - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers
    - BUG/MINOR: h2: forbid 'Z' as well in header field names checks
    - BUG/MINOR: h3: forbid 'Z' as well in header field names checks
    - BUG/MEDIUM: resolvers: break an infinite loop in resolv_get_ip_from_response()

2025/09/23 : 3.2.5
    - BUG/MEDIUM: stconn: Fix conditions to know an applet can get data from stream
    - BUG/MEDIUM: Remove sync sends from streams to applets
    - MINOR: quic: implement qc_ssl_do_hanshake()
    - BUG/MEDIUM: quic: listener connection stuck during handshakes (OpenSSL 3.5)
    - BUG/MINOR: mux-h1: fix wrong lock label
    - MEDIUM: dns: don't call connect to dest socket for AF_INET*
    - BUG/MINOR: spoe: Properly detect and skip empty NOTIFY frames
    - BUG/MEDIUM: cli: Report inbuf is no longer full when a line is consumed
    - BUG/MEDIUM: mworker: more verbose error upon loading failure
    - BUG/MEDIUM: mux-h2: fix crash on idle-ping due to unwanted ABORT_NOW
    - BUG/MEDIUM: ssl: apply ssl-f-use on every "ssl" bind
    - MINOR: dns: dns_connect_nameserver: fix fd leak at error path
    - BUG/MEDIUM: quic: reset padding when building GSO datagrams
    - BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested
    - BUG/MAJOR: quic: fix INITIAL padding with probing packet only
    - BUG/MINOR: quic: don't coalesce probing and ACK packet of same type
    - MINOR: quic: centralize padding for HP sampling on packet building
    - MINOR: http_ana: fix typo in http_res_get_intercept_rule
    - BUG/MEDIUM: mux-spop: Reject connection attempts from a non-spop frontend
    - BUG/MEDIUM: http_ana: handle yield for "stats http-request" evaluation
    - BUG/MEDIUM: spoe: Improve error detection in SPOE applet on client abort
    - MINOR: sample: Add le2dec (little endian to decimal) sample fetch
    - MINOR: sample: Add base2 converter
    - BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets
    - MINOR: ssl: diagnostic warning when both 'default-crt' and 'strict-sni' are used
    - DOC: configuration: clarify 'default-crt' and implicit default certificates
    - MINOR: quic: remove ->offset qf_crypto struct field
    - BUG/MINOR: mux-quic: trace with non initialized qcc
    - BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found
    - BUG/MEDIUM: mworker: fix startup and reload on macOS
    - BUG/MINOR: connection: rearrange union list members
    - BUG/MINOR: connection: remove extra session_unown_conn() on reverse
    - BUG/MINOR: server: decrement session idle_conns on del server
    - BUILD: mworker: fix ignoring return value of ‘read’
    - DOC: unreliable sockpair@ on macOS
    - DOC: configuration: confuse "strict-mode" with "zero-warning"
    - MINOR: doc: add missing statistics column
    - MINOR: doc: add missing statistics column
    - CLEANUP: quic: remove a useless CRYPTO frame variable assignment
    - BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete()
    - BUG/MAJOR: mux-quic: fix crash on reload during emission
    - REG-TESTS: map_redirect: Don't use hdr_dom in ACLs with "-m end" matching method
    - BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server
    - BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url()
    - BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger()
    - BUG/MINOR: acl: Add OOM check for calloc() in smp_fetch_acl_parse()
    - BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen()
    - BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options()
    - BUG/MINOR: tools: Add OOM check for malloc() in indent_msg()
    - BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames
    - BUG/MINOR: quic: fix room check if padding requested
    - BUG/MINOR: quic: fix padding issue on INITIAL retransmit
    - BUG/MINOR: haproxy: be sure not to quit too early on soft stop
    - BUILD: acl: silence a possible null deref warning in parse_acl_expr()
    - MINOR: quic: Add more information about RX packets
    - BUG/MEDIUM: stick-tables: don't leave the expire loop with elements deleted
    - BUG/MINOR: stick-tables: never leave used entries without expiration
    - BUG/MEDIUM: peers: don't fail twice to grab the update lock
    - BUG/MINOR: check: ensure check-reuse is compatible with SSL
    - BUG/MINOR: check: fix dst address when reusing a connection
    - REGTESTS: explicitly use "balance roundrobin" where RR is needed
    - BUG/MEDIUM: conn: fix UAF on connection after reversal on edge
    - BUG/MINOR: connection: streamline conn detach from lists
    - BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list()
    - BUILD: trace: silence a bogus build warning at -Og
    - BUG/MINOR: cpu_topo: work around a small bug in musl's CPU_ISSET()
    - CLEANUP: quic: fix typo in quic_tx trace
    - BUG/MEDIUM: mux-h2: Reset MUX blocking flags when a send error is caught
    - BUG/MEDIUM: mux-h2; Don't block reveives in H2_CS_ERROR and H2_CS_ERROR2 states
    - BUG/MEDIUM: mux-h2: Restart reading when mbuf ring is no longer full
    - BUG/MINOR: mux-h2: Remove H2_CF_DEM_DFULL flags when the demux buffer is reset
    - BUG/MEDIUM: mux-h2: Report RST/error to app-layer stream during 0-copy fwding
    - BUG/MEDIUM: mux-h2: Reinforce conditions to report an error to app-layer stream
    - OPTIM: check: do not delay MUX for ALPN if SSL not active
    - BUG/MEDIUM: checks: fix ALPN inheritance from server
    - BUG/MEDIUM: h1: Allow reception if we have early data
    - BUG/MEDIUM: ssl: create the mux immediately on early data
    - BUG/MINOR: activity: fix reporting of task latency
    - BUG/MEDIUM: stick-tables: don't loop on non-expirable entries
    - BUG/MINOR: stick-table: make sure never to miss a process_table_expire update
    - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval
    - BUG/MAJOR: stream: Force channel analysis on successful synchronous send
    - BUG/MINOR: acme: null pointer dereference upon allocation failure
    - BUG/MEDIUM: jws: return size_t in JWS functions
    - BUG/MINOR: ssl: Potential NULL deref in trace macro
    - BUG/MINOR: ssl: Fix potential NULL deref in trace callback
    - BUG/MINOR: ocsp: prototype inconsistency
    - BUG/MEDIUM: http_ana: fix potential NULL deref in http_process_req_common()
    - BUG/MINOR: ocsp: Crash when updating CA during ocsp updates
    - BUG/MINOR: resolvers: always normalize FQDN from response
    - BUG/MEDIUM: ring: invert the length check to avoid an int overflow
    - DEBUG: stick-tables: export stktable_add_pend_updates() for better reporting
    - BUG/MEDIUM: pattern: fix possible infinite loops on deletion (try 2)

2025/08/13 : 3.2.4
    - DOC: deviceatlas build clarifications
    - BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers
    - BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources
    - MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead
    - BUG/MINOR: acme: allow "processing" in challenge requests
    - CLEANUP: acme: fix wrong spelling of "resources"
    - MINOR: acme: add ACME to the haproxy -vv feature list
    - MINOR: acme: implement traces
    - BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet
    - BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket
    - BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket
    - BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established
    - BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options
    - BUG/MINOR: hlua: take default-path into account with lua-load-per-thread
    - BUG/MEDIUM: mux-quic: ensure Early-data header is set
    - CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h
    - BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h
    - BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator
    - MINOR: acme: emit a log for DNS-01 challenge response
    - MINOR: acme: emit the DNS-01 challenge details on the dpapi sink
    - MEDIUM: acme: allow to wait and restart the task for DNS-01
    - MINOR: acme: update the log for DNS-01
    - BUG/MINOR: acme: possible integer underflow in acme_txt_record()
    - MEDIUM: acme: use lowercase for challenge names in configuration
    - DOC: management: clarify usage of -V with -c
    - MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory
    - BUG/MINOR: listener: really assign distinct IDs to shards
    - MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version < 3.5.1
    - BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5)
    - BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred
    - BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred
    - BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred
    - BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode
    - BUG/MINOR: http-client: Reject any 101-switching-protocols response
    - BUG/MEDIUM: http-client: Drain the request if an early response is received
    - BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM
    - MINOR: h1-htx: Add function to format an HTX message in its H1 representation
    - BUG/MINOR: mux-h1: Use configured error files if possible for early H1 errors
    - BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function
    - BUG/MEDIUM: h3: do not overwrite interim with final response
    - BUG/MINOR: h3: properly realloc buffer after interim response encoding
    - BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side)
    - MINOR: qmux: change API for snd_buf FIN transmission
    - BUG/MEDIUM: h3: handle interim response properly on FE side
    - BUG/MINOR: quic: Wrong source address use on FreeBSD
    - MINOR: h3: remove unused outbuf in h3_resp_headers_send()
    - BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init
    - BUG/MINOR: halog: exit with error when some output filters are set simultaneosly
    - BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS
    - BUG/MINOR: logs: fix log-steps extra log origins selection
    - BUG/MINOR: hq-interop: fix FIN transmission
    - BUG/MINOR mux-quic: apply correctly timeout on output pending data
    - BUG/MINOR: mux-quic: ensure close-spread-time is properly applied
    - CLEANUP: http-client: Remove useless indentation when sending request body
    - DOC: list missing global QUIC settings
    - BUILD: compat: provide relaxed versions of the MIN/MAX macros
    - BUILD: compat: always set _POSIX_VERSION to ease comparisons
    - BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR
    - MINOR: sock: update broken accept4 detection for older hardwares.
    - BUG/MEDIUM: ssl: Fix 0rtt to the server
    - BUG/MEDIUM: ssl: fix build with AWS-LC
    - BUG/MINOR: init: Initialize random seed earlier in the init process
    - DOC: management: fix typo in commit f4f93c56
    - DOC: config: recommend single quoting passwords
    - BUG/MEDIUM: mux-quic: adjust wakeup behavior
    - BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer

2025/07/09 : 3.2.3
    - CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0
    - CI: github: add an OpenSSL 3.5.0 job
    - CI: github: update the stable CI to ubuntu-24.04
    - BUILD: quic: QUIC build against OpenSSL 3.5 broken
    - BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
    - CI: github: update to OpenSSL 3.5.1
    - BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits (OpenSSL 3.5 QUIC API)
    - BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init()
    - BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections
    - BUG/MINOR: http-act: Fix parsing of the expression argument for pause action
    - BUILD/MEDIUM: deviceatlas: fix when installed in custom locations.

2025/07/02 : 3.2.2
    - BUG/MINOR: config/server: reject QUIC addresses
    - BUG/MINOR: http-ana: Properly handle keep-query redirect option if no QS
    - BUG/MINOR: quic: Fix OSSL_FUNC_SSL_QUIC_TLS_got_transport_params_fn callback (OpenSSL3.5)
    - BUG/MEDIUM: cli: Don't consume data if outbuf is full or not available
    - MINOR: cli: handle EOS/ERROR first
    - BUG/MEDIUM: check: Set SOCKERR by default when a connection error is reported
    - DOC: config: prefer-last-server: add notes for non-deterministic algorithms
    - BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream
    - BUG/MAJOR: fwlc: Count an avoided server as unusable.
    - MINOR: fwlc: Factorize code.
    - BUG/MINOR: tools: only reset argument start upon new argument
    - BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on itself
    - BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation
    - DOC: configuration: add details on prefer-client-ciphers
    - BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding
    - MINOR: quic: Useless TX buffer size reduction in closing state
    - DOC: config: crt-list clarify default cert + cert-bundle
    - SCRIPTS: drop the HTML generation from announce-release
    - BUG/MINOR: tools: use my_unsetenv instead of unsetenv
    - MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent AWS-LC
    - BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services
    - BUG/MEDIUM: mux-h2: Properly handle connection error during preface sending
    - BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter
    - DOC: Fix 'jwt_verify' converter doc
    - BUG/MINOR: httpclient: wrongly named httpproxy flag
    - BUILD: dev/phash: remove the accidentally committed a.out file

2025/06/11 : 3.2.1
    - BUILD: tools: properly define ha_dump_backtrace() to avoid a build warning
    - DOC: config: Fix a typo in 2.7 (Name format for maps and ACLs)
    - BUG/MAJOR: leastconn: Protect tree_elt with the lbprm lock
    - BUG/MEDIUM: check: Requeue healthchecks on I/O events to handle check timeout
    - BUG/MINOR: mux-spop: Fix null-pointer deref on SPOP stream allocation failure
    - BUG/MEDIUM: cli: Properly parse empty lines and avoid crashed
    - BUG/MINOR: config: emit warning for empty args only in discovery mode
    - BUG/MINOR: config: fix arg number reported on empty arg warning
    - BUG/MINOR: quic: Missing SSL session object freeing
    - BUG/MEDIUM: fd: Use the provided tgid in fd_insert() to get tgroup_info
    - BUG/MINIR: h1: Fix doc of 'accept-unsafe-...-request' about URI parsing

2025/05/28 : 3.2.0
    - MINOR: promex: Add agent check status/code/duration metrics
    - MINOR: ssl: support strict-sni in ssl-default-bind-options
    - MINOR: ssl: also provide the "tls-tickets" bind option
    - MINOR: server: define CLI I/O handler for "add server"
    - MINOR: server: implement "add server help"
    - MINOR: server: use stress mode for "add server help"
    - BUG/MEDIUM: server: fix crash after duplicate GUID insertion
    - BUG/MEDIUM: server: fix potential null-deref after previous fix
    - MINOR: config: list recently added sections with -dKcfg
    - BUG/MAJOR: cache: Crash because of wrong cache entry deleted
    - DOC: configuration: fix the example in crt-store
    - DOC: config: clarify the wording around single/double quotes
    - DOC: config: clarify the legacy cookie and header captures
    - DOC: config: fix alphabetical ordering of layer 7 sample fetch functions
    - DOC: config: fix alphabetical ordering of layer 6 sample fetch functions
    - DOC: config: fix alphabetical ordering of layer 5 sample fetch functions
    - DOC: config: fix alphabetical ordering of layer 4 sample fetch functions
    - DOC: config: fix alphabetical ordering of internal sample fetch functions
    - BUG/MINOR: h3: Set HTX flags corresponding to the scheme found in the request
    - BUG/MEDIUM: h3: Declare absolute URI as normalized when a :authority is found
    - DOC: config: mention in bytes_in and bytes_out that they're read on input
    - DOC: config: clarify the basics of ACLs (call point, multi-valued etc)
    - REGTESTS: Make the script testing conditional set-var compatible with Vtest2
    - REGTESTS: Explicitly allow failing shell commands in some scripts
    - MINOR: listeners: Add support for a label on bind line
    - BUG/MEDIUM: cli/ring: Properly handle shutdown in "show event" I/O handler
    - BUG/MEDIUM: hlua: Properly detect shudowns for TCP applets based on the new API
    - BUG/MEDIUM: hlua: Fix getline() for TCP applets to work with applet's buffers
    - BUG/MEDIUM: hlua: Fix receive API for TCP applets to properly handle shutdowns
    - CI: vtest: Rely on VTest2 to run regression tests
    - CI: vtest: Fix the build script to properly work on MaOS
    - CI: combine AWS-LC and AWS-LC-FIPS by template
    - BUG/MEDIUM: httpclient: Throw an error if an lua httpclient instance is reused
    - DOC: hlua: Add a note to warn user about httpclient object reuse
    - DOC: hlua: fix a few typos in HTTPMessage.set_body_len() documentation
    - DEV: patchbot: prepare for new version 3.3-dev
    - MINOR: version: mention that it's 3.2 LTS now.

2025/05/21 : 3.2-dev17
    - DOC: configuration: explicit multi-choice on bind shards option
    - BUG/MINOR: sink: detect and warn when using "send-proxy" options with ring servers
    - BUG/MEDIUM: peers: also limit the number of incoming updates
    - MEDIUM: hlua: Add function to change the body length of an HTTP Message
    - BUG/MEDIUM: stconn: Disable 0-copy forwarding for filters altering the payload
    - BUG/MINOR: h3: don't insert more than one Host header
    - BUG/MEDIUM: h1/h2/h3: reject forbidden chars in the Host header field
    - DOC: config: properly index "table and "stick-table" in their section
    - DOC: management: change reference to configuration manual
    - BUILD: debug: mark ha_crash_now() as attribute(noreturn)
    - IMPORT: slz: avoid multiple shifts on 64-bits
    - IMPORT: slz: support crc32c for lookup hash on sse4 but only if requested
    - IMPORT: slz: use a better hash for machines with a fast multiply
    - IMPORT: slz: fix header used for empty zlib message
    - IMPORT: slz: silence a build warning on non-x86 non-arm
    - BUG/MAJOR: leastconn: do not loop forever when facing saturated servers
    - BUG/MAJOR: queue: properly keep count of the queue length
    - BUG/MINOR: quic: fix crash on quic_conn alloc failure
    - BUG/MAJOR: leastconn: never reuse the node after dropping the lock
    - MINOR: acme: renewal notification over the dpapi sink
    - CLEANUP: quic: Useless BIO_METHOD initialization
    - MINOR: quic: Add useful error traces about qc_ssl_sess_init() failures
    - MINOR: quic: Allow the use of the new OpenSSL 3.5.0 QUIC TLS API (to be completed)
    - MINOR: quic: implement all remaining callbacks for OpenSSL 3.5 QUIC API
    - MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters reset
    - MINOR: quic: OpenSSL 3.5 trick to support 0-RTT
    - DOC: update INSTALL for QUIC with OpenSSL 3.5 usages
    - DOC: management: update 'acme status'
    - BUG/MEDIUM: wdt: always ignore the first watchdog wakeup
    - CLEANUP: wdt: clarify the comments on the common exit path
    - BUILD: ssl: avoid possible printf format warning in traces
    - BUILD: acme: fix build issue on 32-bit archs with 64-bit time_t
    - DOC: management: precise some of the fields of "show servers conn"
    - BUG/MEDIUM: mux-quic: fix BUG_ON() on rxbuf alloc error
    - DOC: watchdog: update the doc to reflect the recent changes
    - BUG/MEDIUM: acme: check if acme domains are configured
    - BUG/MINOR: acme: fix formatting issue in error and logs
    - EXAMPLES: lua: avoid screen refresh effect in "trisdemo"
    - CLEANUP: quic: remove unused cbuf module
    - MINOR: quic: move function to check stream type in utils
    - MINOR: quic: refactor handling of streams after MUX release
    - MINOR: quic: add some missing includes
    - MINOR: quic: adjust quic_conn-t.h include list
    - CLEANUP: cfgparse: alphabetically sort the global keywords
    - MINOR: glitches: add global setting "tune.glitches.kill.cpu-usage"

2025/05/14 : 3.2-dev16
    - BUG/MEDIUM: mux-quic: fix crash on invalid fctl frame dereference
    - DEBUG: pool: permit per-pool UAF configuration
    - MINOR: acme: add the global option 'acme.scheduler'
    - DEBUG: pools: add a new integrity mode "backup" to copy the released area
    - MEDIUM: sock-inet: re-check IPv6 connectivity every 30s
    - BUG/MINOR: ssl: doesn't fill conf->crt with first arg
    - BUG/MINOR: ssl: prevent multiple 'crt' on the same ssl-f-use line
    - BUG/MINOR: ssl/ckch: always free() the previous entry during parsing
    - MINOR: tools: ha_freearray() frees an array of string
    - BUG/MINOR: ssl/ckch: always ha_freearray() the previous entry during parsing
    - MINOR: ssl/ckch: warn when the same keyword was used twice
    - BUG/MINOR: threads: fix soft-stop without multithreading support
    - BUG/MINOR: tools: improve parse_line()'s robustness against empty args
    - BUG/MINOR: cfgparse: improve the empty arg position report's robustness
    - BUG/MINOR: server: dont depend on proxy for server cleanup in srv_drop()
    - BUG/MINOR: server: perform lbprm deinit for dynamic servers
    - MINOR: http: add a function to validate characters of :authority
    - BUG/MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly
    - MINOR: quic: account Tx data per stream
    - MINOR: mux-quic: account Rx data per stream
    - MINOR: quic: add stream format for "show quic"
    - MINOR: quic: display QCS info on "show quic stream"
    - MINOR: quic: display stream age
    - BUG/MINOR: cpu-topo: fix group-by-cluster policy for disordered clusters
    - MINOR: cpu-topo: add a new "group-by-ccx" CPU policy
    - MINOR: cpu-topo: provide a function to sort clusters by average capacity
    - MEDIUM: cpu-topo: change "performance" to consider per-core capacity
    - MEDIUM: cpu-topo: change "efficiency" to consider per-core capacity
    - MEDIUM: cpu-topo: prefer grouping by CCX for "performance" and "efficiency"
    - MEDIUM: config: change default limits to 1024 threads and 32 groups
    - BUG/MINOR: hlua: Fix Channel:data() and Channel:line() to respect documentation
    - DOC: config: Fix a typo in the "term_events" definition
    - BUG/MINOR: spoe: Don't report error on applet release if filter is in DONE state
    - BUG/MINOR: mux-spop: Don't report error for stream if ACK was already received
    - BUG/MINOR: mux-spop: Make the demux stream ID a signed integer
    - BUG/MINOR: mux-spop: Don't open new streams for SPOP connection on error
    - MINOR: mux-spop: Don't set SPOP connection state to FRAME_H after ACK parsing
    - BUG/MEDIUM: mux-spop: Remove frame parsing states from the SPOP connection state
    - BUG/MEDIUM: mux-spop: Properly handle CLOSING state
    - BUG/MEDIUM: spop-conn: Report short read for partial frames payload
    - BUG/MEDIUM: mux-spop: Properly detect truncated frames on demux to report error
    - BUG/MEDIUM: mux-spop; Don't report a read error if there are pending data
    - DEBUG: mux-spop: Review some trace messages to adjust the message or the level
    - DOC: config: move address formats definition to section 2
    - DOC: config: move stick-tables and peers to their own section
    - DOC: config: move the extraneous sections out of the "global" definition
    - CI: AWS-LC(fips): enable unit tests
    - CI: AWS-LC: enable unit tests
    - CI: compliance: limit run on forks only to manual + cleanup
    - CI: musl: enable unit tests
    - CI: QuicTLS (weekly): limit run on forks only to manual dispatch
    - CI: WolfSSL: enable unit tests

2025/05/09 : 3.2-dev15
    - BUG/MEDIUM: stktable: fix sc_*(<ctr>) BUG_ON() regression with ctx > 9
    - BUG/MINOR: acme/cli: don't output error on success
    - BUG/MINOR: tools: do not create an empty arg from trailing spaces
    - MEDIUM: config: warn about the consequences of empty arguments on a config line
    - MINOR: tools: make parse_line() provide hints about empty args
    - MINOR: cfgparse: visually show the input line on empty args
    - BUG/MINOR: tools: always terminate empty lines
    - BUG/MINOR: tools: make parseline report the required space for the trailing 0
    - DEBUG: threads: don't keep lock label "OTHER" in the per-thread history
    - DEBUG: threads: merge successive idempotent lock operations in history
    - DEBUG: threads: display held locks in threads dumps
    - BUG/MINOR: proxy: only use proxy_inc_fe_cum_sess_ver_ctr() with frontends
    - Revert "BUG/MEDIUM: mux-spop: Handle CLOSING state and wait for AGENT DISCONNECT frame"
    - MINOR: acme/cli: 'acme status' show the status acme-configured certificates
    - MEDIUM: acme/ssl: remove 'acme ps' in favor of 'acme status'
    - DOC: configuration: add "acme" section to the keywords list
    - DOC: configuration: add the "crt-store" keyword
    - BUG/MAJOR: queue: lock around the call to pendconn_process_next_strm()
    - MINOR: ssl: add filename and linenum for ssl-f-use errors
    - BUG/MINOR: ssl: can't use crt-store some certificates in ssl-f-use
    - BUG/MINOR: tools: only fill first empty arg when not out of range
    - MINOR: debug: bump the dump buffer to 8kB
    - MINOR: stick-tables: add "ipv4" as an alias for the "ip" type
    - MINOR: quic: extend return value during TP parsing
    - BUG/MINOR: quic: use proper error code on missing CID in TPs
    - BUG/MINOR: quic: use proper error code on invalid server TP
    - BUG/MINOR: quic: reject retry_source_cid TP on server side
    - BUG/MINOR: quic: use proper error code on invalid received TP value
    - BUG/MINOR: quic: fix TP reject on invalid max-ack-delay
    - BUG/MINOR: quic: reject invalid max_udp_payload size
    - BUG/MEDIUM: peers: hold the refcnt until updating ts->seen
    - BUG/MEDIUM: stick-tables: close a tiny race in __stksess_kill()
    - BUG/MINOR: cli: fix too many args detection for commands
    - MINOR: server: ensure server postparse tasks are run for dynamic servers
    - BUG/MEDIUM: stick-table: always remove update before adding a new one
    - BUG/MEDIUM: quic: free stream_desc on all data acked
    - BUG/MINOR: cfgparse: consider the special case of empty arg caused by \x00
    - DOC: config: recommend disabling libc-based resolution with resolvers

2025/05/02 : 3.2-dev14
    - MINOR: acme: retry label always do a request
    - MINOR: acme: does not leave task for next request
    - BUG/MINOR: acme: reinit the retries only at next request
    - MINOR: acme: change the default max retries to 5
    - MINOR: acme: allow a delay after a valid response
    - MINOR: acme: wait 5s before checking the challenges results
    - MINOR: acme: emit a log when starting
    - MINOR: acme: delay of 5s after the finalize
    - BUG/MEDIUM: quic: Let it be known if the tasklet has been released.
    - BUG/MAJOR: tasks: fix task accounting when killed
    - CLEANUP: tasks: use the local state, not t->state, to check for tasklets
    - DOC: acme: external account binding is not supported
    - MINOR: hlua: ignore "tune.lua.bool-sample-conversion" if set after "lua-load"
    - MEDIUM: peers: Give up if we fail to take locks in hot path
    - MEDIUM: stick-tables: defer adding updates to a tasklet
    - MEDIUM: stick-tables: Limit the number of old entries we remove
    - MEDIUM: stick-tables: Limit the number of entries we expire
    - MINOR: cfgparse-global: add explicit error messages in cfg_parse_global_env_opts
    - MINOR: ssl: add function to extract X509 notBefore date in time_t
    - BUILD: acme: need HAVE_ASN1_TIME_TO_TM
    - MINOR: acme: move the acme task init in a dedicated function
    - MEDIUM: acme: add a basic scheduler
    - MINOR: acme: emit a log when the scheduler can't start the task

2025/04/30 : 3.2-dev13
    - MEDIUM: checks: Make sure we return the tasklet from srv_chk_io_cb
    - MEDIUM: listener: Make sure w ereturn the tasklet from accept_queue_process
    - MEDIUM: mux_fcgi: Make sure we return the tasklet from fcgi_deferred_shut
    - MEDIUM: quic: Make sure we return the tasklet from qcc_io_cb
    - MEDIUM: quic: Make sure we return NULL in quic_conn_app_io_cb if needed
    - MEDIUM: quic: Make sure we return the tasklet from quic_accept_run
    - BUG/MAJOR: tasklets: Make sure he tasklet can't run twice
    - BUG/MAJOR: listeners: transfer connection accounting when switching listeners
    - MINOR: ssl/cli: add a '-t' option to 'show ssl sni'
    - DOC: config: fix ACME paragraph rendering issue
    - DOC: config: clarify log-forward "host" option
    - MINOR: promex: expose ST_I_PX_RATE (current_session_rate)
    - BUILD: acme: use my_strndup() instead of strndup()
    - BUILD: leastconn: fix build warning when building without threads on old machines
    - MINOR: threads: prepare DEBUG_THREAD to receive more values
    - MINOR: threads: turn the full lock debugging to DEBUG_THREAD=2
    - MEDIUM: threads: keep history of taken locks with DEBUG_THREAD > 0
    - MINOR: threads/cli: display the lock history on "show threads"
    - MEDIUM: thread: set DEBUG_THREAD to 1 by default
    - BUG/MINOR: ssl/acme: free EVP_PKEY upon error
    - MINOR: acme: separate the code generating private keys
    - MINOR: acme: failure when no directory is specified
    - MEDIUM: acme: generate the account file when not found
    - MEDIUM: acme: use 'crt-base' to load the account key
    - MINOR: compiler: add more macros to detect macro definitions
    - MINOR: cli: split APPCTX_CLI_ST1_PROMPT into two distinct flags
    - MEDIUM: cli: make the prompt mode configurable between n/i/p
    - MEDIUM: mcli: make the prompt mode configurable between i/p
    - MEDIUM: mcli: replicate the current mode when enterin the worker process
    - DOC: configuration: acme account key are auto generated
    - CLEANUP: acme: remove old TODO for account key
    - DOC: configuration: add quic4 to the ssl-f-use example
    - BUG/MINOR: acme: does not try to unlock after a failed trylock
    - BUG/MINOR: mux-h2: fix the offset of the pattern for the ping frame
    - MINOR: tcp: add support for setting TCP_NOTSENT_LOWAT on both sides
    - BUG/MINOR: acme: creating an account should not end the task
    - MINOR: quic: rename min/max fields for congestion window algo
    - MINOR: quic: refactor BBR API
    - BUG/MINOR: quic: ensure cwnd limits are always enforced
    - MINOR: thread: define cshared type
    - MINOR: quic: account for global congestion window
    - MEDIUM: quic: limit global Tx memory
    - MEDIUM: acme: use a map to store tokens and thumbprints
    - BUG/MINOR: acme: remove references to virt@acme
    - MINOR: applet: add appctx_schedule() macro
    - BUG/MINOR: dns: add tempo between 2 connection attempts for dns servers
    - CLEANUP: dns: remove unused dns_stream_server struct member
    - BUG/MINOR: dns: prevent ds accumulation within dss
    - CLEANUP: proxy: mention that px->conn_retries isn't relevant in some cases
    - DOC: ring: refer to newer RFC5424
    - MINOR: tools: make my_strndup() take a size_t len instead of and int
    - MINOR: Add "sigalg" to "sigalg name" helper function
    - MINOR: ssl: Add traces to ssl init/close functions
    - MINOR: ssl: Add traces to recv/send functions
    - MINOR: ssl: Add traces to ssl_sock_io_cb function
    - MINOR: ssl: Add traces around SSL_do_handshake call
    - MINOR: ssl: Add traces to verify callback
    - MINOR: ssl: Add ocsp stapling callback traces
    - MINOR: ssl: Add traces to the switchctx callback
    - MINOR: ssl: Add traces about sigalg extension parsing in clientHello callback
    - MINOR: Add 'conn' param to ssl_sock_chose_sni_ctx
    - BUG/MEDIUM: mux-spop: Wait end of handshake to declare a spop connection ready
    - BUG/MEDIUM: mux-spop: Handle CLOSING state and wait for AGENT DISCONNECT frame
    - BUG/MINOR: mux-h1: Don't pretend connection was released for TCP>H1>H2 upgrade
    - BUG/MINOR: mux-h1: Fix trace message in h1_detroy() to not relay on connection
    - BUILD: ssl: Fix wolfssl build
    - BUG/MINOR: mux-spop: Use the right bitwise operator in spop_ctl()
    - MEDIUM: mux-quic: increase flow-control on each bufsize
    - MINOR: mux-quic: limit emitted MSD frames count per qcs
    - MINOR: add hlua_yield_asap() helper
    - MINOR: hlua_fcn: enforce yield after *_get_stats() methods
    - DOC: config: restore default values for resolvers hold directive
    - MINOR: ssl/cli: "acme ps" shows the acme tasks
    - MINOR: acme: acme_ctx_destroy() returns upon NULL
    - MINOR: acme: use acme_ctx_destroy() upon error
    - MEDIUM: tasks: Mutualize code between tasks and tasklets.
    - MEDIUM: tasks: More code factorization
    - MEDIUM: tasks: Remove TASK_IN_LIST and use TASK_QUEUED instead.
    - MINOR: tasks: Remove unused tasklet_remove_from_tasklet_list
    - MEDIUM: tasks: Mutualize the TASK_KILLED code between tasks and tasklets
    - BUG/MEDIUM: connections: Report connection closing in conn_create_mux()
    - BUILD/MEDIUM: quic: Make sure we build with recent changes

2025/04/25 : 3.2-dev12
    - BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure
    - BUG/MINOR: proxy: always detach a proxy from the names tree on free()
    - CLEANUP: proxy: detach the name node in proxy_free_common() instead
    - CLEANUP: Slightly reorder some proxy option flags to free slots
    - MINOR: proxy: Add options to drop HTTP trailers during message forwarding
    - MINOR: h1-htx: Skip C-L and T-E headers for 1xx and 204 messages during parsing
    - MINOR: mux-h1: Keep custom "Content-Length: 0" header in 1xx and 204 messages
    - MINOR: hlua/h1: Use http_parse_cont_len_header() to parse content-length value
    - CLEANUP: h1: Remove now useless h1_parse_cont_len_header() function
    - BUG/MEDIUM: mux-spop: Respect the negociated max-frame-size value to send frames
    - MINOR: http-act: Add 'pause' action to temporarily suspend the message analysis
    - MINOR: acme/cli: add the 'acme renew' command to the help message
    - MINOR: httpclient: add an "https" log-format
    - MEDIUM: acme: use a customized proxy
    - MEDIUM: acme: rename "uri" into "directory"
    - MEDIUM: acme: rename "account" into "account-key"
    - MINOR: stick-table: use a separate lock label for updates
    - MINOR: h3: simplify h3_rcv_buf return path
    - BUG/MINOR: mux-quic: fix possible infinite loop during decoding
    - BUG/MINOR: mux-quic: do not decode if conn in error
    - BUG/MINOR: cli: Issue an error when too many args are passed for a command
    - MINOR: cli: Use a full prompt command for bidir connections with workers
    - MAJOR: cli: Refacor parsing and execution of pipelined commands
    - MINOR: cli: Rename some CLI applet states to reflect recent refactoring
    - CLEANUP: applet: Update st0/st1 comment in appctx structure
    - BUG/MINOR: hlua: Fix I/O handler of lua CLI commands to not rely on the SC
    - BUG/MINOR: ring: Fix I/O handler of "show event" command to not rely on the SC
    - MINOR: cli/applet: Move appctx fields only used by the CLI in a private context
    - MINOR: cache: Add a pointer on the cache in the cache applet context
    - MINOR: hlua: Use the applet name in error messages for lua services
    - MINOR: applet: Save the "use-service" rule in the stream to init a service applet
    - CLEANUP: applet: Remove unsued rule pointer in appctx structure
    - BUG/MINOR: master/cli: properly trim the '@@' process name in error messages
    - MEDIUM: resolvers: add global "dns-accept-family" directive
    - MINOR: resolvers: add command-line argument -4 to force IPv4-only DNS
    - MINOR: sock-inet: detect apparent IPv6 connectivity
    - MINOR: resolvers: add "dns-accept-family auto" to rely on detected IPv6
    - MEDIUM: acme: use Retry-After value for retries
    - MEDIUM: acme: reset the remaining retries
    - MEDIUM: acme: better error/retry management of the challenge checks
    - BUG/MEDIUM: cli: Handle applet shutdown when waiting for a command line
    - Revert "BUG/MINOR: master/cli: properly trim the '@@' process name in error messages"
    - BUG/MINOR: master/cli: only parse the '@@' prefix on complete lines
    - MINOR: resolvers: use the runtime IPv6 status instead of boot time one

2025/04/18 : 3.2-dev11
    - CI: enable weekly QuicTLS build
    - DOC: management: slightly clarify the prefix role of the '@' command
    - DOC: management: add a paragraph about the limitations of the '@' prefix
    - MINOR: master/cli: support bidirectional communications with workers
    - MEDIUM: ssl/ckch: add filename and linenum argument to crt-store parsing
    - MINOR: acme: add the acme section in the configuration parser
    - MINOR: acme: add configuration for the crt-store
    - MINOR: acme: add private key configuration
    - MINOR: acme/cli: add the 'acme renew' command
    - MINOR: acme: the acme section is experimental
    - MINOR: acme: get the ACME directory
    - MINOR: acme: handle the nonce
    - MINOR: acme: check if the account exist
    - MINOR: acme: generate new account
    - MINOR: acme: newOrder request retrieve authorizations URLs
    - MINOR: acme: allow empty payload in acme_jws_payload()
    - MINOR: acme: get the challenges object from the Auth URL
    - MINOR: acme: send the request for challenge ready
    - MINOR: acme: implement a check on the challenge status
    - MINOR: acme: generate the CSR in a X509_REQ
    - MINOR: acme: finalize by sending the CSR
    - MINOR: acme: verify the order status once finalized
    - MINOR: acme: implement retrieval of the certificate
    - BUG/MINOR: acme: ckch_conf_acme_init() when no filename
    - MINOR: ssl/ckch: handle ckch_conf in ckchs_dup() and ckch_conf_clean()
    - MINOR: acme: copy the original ckch_store
    - MEDIUM: acme: replace the previous ckch instance with new ones
    - MINOR: acme: schedule retries with a timer
    - BUILD: acme: enable the ACME feature when JWS is present
    - BUG/MINOR: cpu-topo: check the correct variable for NULL after malloc()
    - BUG/MINOR: acme: key not restored upon error in acme_res_certificate()
    - BUG/MINOR: thread: protect thread_cpus_enabled_at_boot with USE_THREAD
    - MINOR: acme: default to 2048bits for RSA
    - DOC: acme: explain how to configure and run ACME
    - BUG/MINOR: debug: remove the trailing \n from BUG_ON() statements
    - DOC: config: add the missing "profiling.memory" to the global kw index
    - DOC: config: add the missing "force-cfg-parser-pause" to the global kw index
    - DEBUG: init: report invalid characters in debug description strings
    - DEBUG: rename DEBUG_GLITCHES to DEBUG_COUNTERS and enable it by default
    - DEBUG: counters: make COUNT_IF() only appear at DEBUG_COUNTERS>=1
    - DEBUG: counters: add the ability to enable/disable updating the COUNT_IF counters
    - MINOR: tools: let dump_addr_and_bytes() support dumping before the offset
    - MINOR: debug: in call traces, dump the 8 bytes before the return address, not after
    - MINOR: debug: detect call instructions and show the branch target in backtraces
    - BUG/MINOR: acme: fix possible NULL deref
    - CLEANUP: acme: stored value is overwritten before it can be used
    - BUILD: incompatible pointer type suspected with -DDEBUG_UNIT
    - BUG/MINOR: http-ana: Properly detect client abort when forwarding the response
    - BUG/MEDIUM: http-ana: Report 502 from req analyzer only during rsp forwarding
    - CI: fedora rawhide: enable unit tests
    - DOC: configuration: fix a typo in ACME documentation
    - MEDIUM: sink: add a new dpapi ring buffer
    - Revert "BUG/MINOR: acme: key not restored upon error in acme_res_certificate()"
    - BUG/MINOR: acme: key not restored upon error in acme_res_certificate() V2
    - BUG/MINOR: acme: fix the exponential backoff of retries
    - DOC: configuration: specify limitations of ACME for 3.2
    - MINOR: acme: emit logs instead of ha_notice
    - MINOR: acme: add a success message to the logs
    - BUG/MINOR: acme/cli: fix certificate name in error message
    - MINOR: acme: register the task in the ckch_store
    - MINOR: acme: free acme_ctx once the task is done
    - BUG/MEDIUM: h3: trim whitespaces when parsing headers value
    - BUG/MEDIUM: h3: trim whitespaces in header value prior to QPACK encoding
    - BUG/MINOR: h3: filter upgrade connection header
    - BUG/MINOR: h3: reject invalid :path in request
    - BUG/MINOR: h3: reject request URI with invalid characters
    - MEDIUM: h3: use absolute URI form with :authority
    - BUG/MEDIUM: hlua: fix hlua_applet_{http,tcp}_fct() yield regression (lost data)
    - BUG/MINOR: mux-h2: prevent past scheduling with idle connections
    - BUG/MINOR: rhttp: fix reconnect if timeout connect unset
    - BUG/MINOR: rhttp: ensure GOAWAY can be emitted after reversal
    - BUG/MINOR: mux-h2: do not apply timer on idle backend connection
    - MINOR: mux-h2: refactor idle timeout calculation
    - MINOR: mux-h2: prepare to support PING emission
    - MEDIUM: server/mux-h2: implement idle-ping on backend side
    - MEDIUM: listener/mux-h2: implement idle-ping on frontend side
    - MINOR: mux-h2: do not emit GOAWAY on idle ping expiration
    - MINOR: mux-h2: handle idle-ping on conn reverse
    - BUILD: makefile: enable backtrace by default on musl
    - BUG/MINOR: threads: set threads_idle and threads_harmless even with no threads
    - BUG/MINOR debug: fix !USE_THREAD_DUMP in ha_thread_dump_fill()
    - BUG/MINOR: wdt/debug: avoid signal re-entrance between debugger and watchdog
    - BUG/MINOR: debug: detect and prevent re-entrance in ha_thread_dump_fill()
    - MINOR: debug: do not statify a few debugging functions often used with wdt/dbg
    - MINOR: tools: also protect the library name resolution against concurrent accesses
    - MINOR: tools: protect dladdr() against reentrant calls from the debug handler
    - MINOR: debug: protect ha_dump_backtrace() against risks of re-entrance
    - MINOR: tinfo: keep a copy of the pointer to the thread dump buffer
    - MINOR: debug: always reset the dump pointer when done
    - MINOR: debug: remove unused case of thr!=tid in ha_thread_dump_one()
    - MINOR: pass a valid buffer pointer to ha_thread_dump_one()
    - MEDIUM: wdt: always make the faulty thread report its own warnings
    - MINOR: debug: make ha_stuck_warning() only work for the current thread
    - MINOR: debug: make ha_stuck_warning() print the whole message at once
    - CLEANUP: debug: no longer set nor use TH_FL_DUMPING_OTHERS
    - MINOR: sched: add a new function is_sched_alive() to report scheduler's health
    - MINOR: wdt: use is_sched_alive() instead of keeping a local ctxsw copy
    - MINOR: sample: add 4 new sample fetches for clienthello parsing
    - REGTEST: add new reg-test for the 4 new clienthello fetches
    - MINOR: servers: Move the per-thread server initialization earlier
    - MINOR: proxies: Initialize the per-thread structure earlier.
    - MINOR: servers: Provide a pointer to the server in srv_per_tgroup.
    - MINOR: lb_fwrr: Move the next weight out of fwrr_group.
    - MINOR: proxies: Add a per-thread group lbprm struct.
    - MEDIUM: lb_fwrr: Use one ebtree per thread group.
    - MEDIUM: lb_fwrr: Don't start all thread groups on the same server.
    - MINOR: proxies: Do stage2 initialization for sinks too

2025/04/11 : 3.2-dev10
    - REORG: ssl: move curves2nid and nid2nist to ssl_utils
    - BUG/MEDIUM: stream: Fix a possible freeze during a forced shut on a stream
    - MEDIUM: stream: Save SC and channel flags earlier in process_steam()
    - BUG/MINOR: peers: fix expire learned from a peer not converted from ms to ticks
    - BUG/MEDIUM: peers: prevent learning expiration too far in futur from unsync node
    - CI: spell check: allow manual trigger
    - CI: codespell: add "pres" to spellcheck whitelist
    - CLEANUP: assorted typo fixes in the code, commits and doc
    - CLEANUP: atomics: remove support for gcc < 4.7
    - CLEANUP: atomics: also replace __sync_synchronize() with __atomic_thread_fence()
    - TESTS: Fix build for filltab25.c
    - MEDIUM: ssl: replace "crt" lines by "ssl-f-use" lines
    - DOC: configuration: replace "crt" by "ssl-f-use" in listeners
    - MINOR: backend: mark srv as nonnull in alloc_dst_address()
    - BUG/MINOR: server: ensure check-reuse-pool is copied from default-server
    - MINOR: server: activate automatically check reuse for rhttp@ protocol
    - MINOR: check/backend: support conn reuse with SNI
    - MINOR: check: implement check-pool-conn-name srv keyword
    - MINOR: task: add thread safe notification_new and notification_wake variants
    - BUG/MINOR: hlua_fcn: fix potential UAF with Queue:pop_wait()
    - MINOR: hlua_fcn: register queue class using hlua_register_metatable()
    - MINOR: hlua: add core.wait()
    - MINOR: hlua: core.wait() takes optional delay paramater
    - MINOR: hlua: split hlua_applet_tcp_recv_yield() in two functions
    - MINOR: hlua: add AppletTCP:try_receive()
    - MINOR: hlua_fcn: add Queue:alarm()
    - MEDIUM: task: make notification_* API thread safe by default
    - CLEANUP: log: adjust _lf_cbor_encode_byte() comment
    - MEDIUM: ssl/crt-list: warn on negative wildcard filters
    - MEDIUM: ssl/crt-list: warn on negative filters only
    - BUILD: atomics: fix build issue on non-x86/non-arm systems
    - BUG/MINOR: log: fix CBOR encoding with LOG_VARTEXT_START() + lf_encode_chunk()
    - BUG/MEDIUM: sample: fix risk of overflow when replacing multiple regex back-refs
    - DOC: configuration: rework the crt-list section
    - MINOR: ring: support arbitrary delimiters through ring_dispatch_messages()
    - MINOR: ring/cli: support delimiting events with a trailing \0 on "show events"
    - DEV: h2: fix h2-tracer.lua nil value index
    - BUG/MINOR: backend: do not use the source port when hashing clientip
    - BUG/MINOR: hlua: fix invalid errmsg use in hlua_init()
    - MINOR: proxy: add setup_new_proxy() function
    - MINOR: checks: mark CHECKS-FE dummy frontend as internal
    - MINOR: flt_spoe: mark spoe agent frontend as internal
    - MEDIUM: tree-wide: avoid manually initializing proxies
    - MINOR: proxy: add deinit_proxy() helper func
    - MINOR: checks: deinit checks_fe upon deinit
    - MINOR: flt_spoe: deinit spoe agent proxy upon agent release

2025/04/02 : 3.2-dev9
    - MINOR: quic: move global tune options into quic_tune
    - CLEANUP: quic: reorganize TP flow-control initialization
    - MINOR: quic: ignore uni-stream for initial max data TP
    - MINOR: mux-quic: define config for max-data
    - MINOR: quic: define max-stream-data configuration as a ratio
    - MEDIUM: lb-chash: add directive hash-preserve-affinity
    - MEDIUM: pools: be a bit smarter when merging comparable size pools
    - REGTESTS: disable the test balance/balance-hash-maxqueue
    - BUG/MINOR: log: fix gcc warn about truncating NUL terminator while init char arrays
    - CI: fedora rawhide: allow "on: workflow_dispatch" in forks
    - CI: fedora rawhide: install "awk" as a dependency
    - CI: spellcheck: allow "on: workflow_dispatch" in forks
    - CI: coverity scan: allow "on: workflow_dispatch" in forks
    - CI: cross compile: allow "on: workflow_dispatch" in forks
    - CI: Illumos: allow "on: workflow_dispatch" in forks
    - CI: NetBSD: allow "on: workflow_dispatch" in forks
    - CI: QUIC Interop on AWS-LC: allow "on: workflow_dispatch" in forks
    - CI: QUIC Interop on LibreSSL: allow "on: workflow_dispatch" in forks
    - MINOR: compiler: add __nonstring macro
    - MINOR: thread: dump the CPU topology in thread_map_to_groups()
    - MINOR: cpu-set: compare two cpu sets with ha_cpuset_isequal()
    - MINOR: cpu-set: add a new function to print cpu-sets in human-friendly mode
    - MINOR: cpu-topo: add a dump of thread-to-CPU mapping to -dc
    - MINOR: cpu-topo: pass an extra argument to ha_cpu_policy
    - MINOR: cpu-topo: add new cpu-policies "group-by-2-clusters" and above
    - BUG/MINOR: config: silence .notice/.warning/.alert in discovery mode
    - EXAMPLES: add "games.cfg" and an example game in Lua
    - MINOR: jws: emit the JWK thumbprint
    - TESTS: jws: change the jwk format
    - MINOR: ssl/ckch: add substring parser for ckch_conf
    - MINOR: mt_list: Implement mt_list_try_lock_prev().
    - MINOR: lbprm: Add method to deinit server and proxy
    - MINOR: threads: Add HA_RWLOCK_TRYRDTOWR()
    - MAJOR: leastconn; Revamp the way servers are ordered.
    - BUG/MINOR: ssl/ckch: leak in error path
    - BUILD: ssl/ckch: potential null pointer dereference
    - MINOR: log: support "raw" logformat node typecast
    - CLEANUP: assorted typo fixes in the code and comments
    - DOC: config: fix two missing "content" in "tcp-request" examples
    - MINOR: cpu-topo: cpu_dump_topology() SMT info check little optimisation
    - BUILD: compiler: undefine the CONCAT() macro if already defined
    - BUG/MEDIUM: leastconn: Don't try to reposition if the server is down
    - BUG/MINOR: rhttp: fix incorrect dst/dst_port values
    - BUG/MINOR: backend: do not overwrite srv dst address on reuse
    - BUG/MEDIUM: backend: fix reuse with set-dst/set-dst-port
    - MINOR: sample: define bc_reused fetch
    - REGTESTS: extend conn reuse test with transparent proxy
    - MINOR: backend: fix comment when killing idle conns
    - MINOR: backend: adjust conn_backend_get() API
    - MINOR: backend: extract conn hash calculation from connect_server()
    - MINOR: backend: extract conn reuse from connect_server()
    - MINOR: backend: remove stream usage on connection reuse
    - MINOR: check define check-reuse-pool server keyword
    - MEDIUM: check: implement check-reuse-pool
    - BUILD: backend: silence a build warning when not using ssl
    - BUILD: quic_sock: address a strict-aliasing build warning with gcc 5 and 6
    - BUILD: ssl_ckch: use my_strndup() instead of strndup()
    - DOC: update INSTALL to reflect the minimum compiler version

2025/03/21 : 3.2-dev8
    - MINOR: jws: implement JWS signing
    - TESTS: jws: implement a test for JWS signing
    - CI: github: add "jose" to apt dependencies
    - CLEANUP: log-forward: remove useless options2 init
    - CLEANUP: log: add syslog_process_message() helper
    - MINOR: proxy: add proxy->options3
    - MINOR: log: migrate log-forward options from proxy->options2 to options3
    - MINOR: log: provide source address information in syslog_process_message()
    - MINOR: tools: only print address

Change log was trimmed to 60000 characters. Please see the changelog file for the full change log.

[Dariquest]

Fix acceptance tests corresponding to the change "Better error message when HTTP request is too large".
Corresponding PR haproxy/haproxy#1309

[maxmoehl]

Superseded by #844 but keeping it open to prevent the auto-bumper from creating another PR.