Hello guys, I'm having troubles with HAProxy 1.6.3 and TLS ticket, so let me explain here my case.
I'm running HAProxy 1.6.3 (since december) and all was running fine. TLS ticket was explicitely disabled. The only downside of this setup is that after each reload, I have a CPU spike for a few seconds. I thought this was due to session renegociation (right ?) A few days ago, I decided to activate TLS-Ticket and use option tls-ticket-keys on bind lines. My hope was to remove this CPU spike, as session renegociation should be faster. But CPU usage doubled ! I disabled it by adding again "ssl-default-bind-options no-tls-tickets" and CPU usage returned to normal. >From the doc, I read that activating TLS ticket may use "slightly" more CPU, but I hoped that using tickets file could help in this case. Apparently I'm wrong. Any detailed explanation and feedback would be really useful here. Snippet of my config (I know I'm using old syntax for listen/bind) : global tune.ssl.default-dh-param 2048 tune.ssl.lifetime 100800 tune.ssl.cachesize 1000000 #ssl-default-bind-options no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384 :ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-D ES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:! DES:!MD5:!PSK:!RC4 listen xxxx:443 bind xxx:443 ssl crt /etc/ssl/ssl_xxx.pem no-sslv3 tls-ticket-keys /tmp/tls_ticket_keys server s107 xxx:80 check weight 5 fall 60 ******************* HAProxy version : HA-Proxy version 1.6.3 2015/12/25 Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_OPENSSL=1 USE_PCRE=1 USE_TFO=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without compression support (neither USE_ZLIB nor USE_SLZ are set) Compression algorithms supported : identity("identity") Built with OpenSSL version : OpenSSL 1.0.2f 28 Jan 2016 Running on OpenSSL version : OpenSSL 1.0.2f 28 Jan 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 7.2 2007-06-19 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND ************************* And /tmp/tls_ticket_keys generated with "openssl rand -base64 48" called 3x + appended at each reload. Olivier