> -- Use stats socket to update the list without reload > > -- Update Session state at disconnection log schema to include > something useful in case server receives a ticket which was encrypted with key > that is not anymore in the list. Debugging SSL problems is a nightmare > by definition and having a lot of debug information is very much appreciated > by sysadmins
If the ticket is not in the list, it will simply fall back to a full handshake, not abort the handshake, so there is no error in that case. Generic SSL/TLS resumption counter should correctly account for those tings already. > -- Possible use peer logic to sync the list to others, tricky but it is > required when you have several LBs, alternatively users can deploy the logic > that twitter has used That doesn't make much sense for externally provided tls keys, you may as well use the external interface on all instances. This would make more sense for SSL session ids, they are currently shared between processes, but not between different haproxy instances (stud for example can do this iirc). Lukas