Hello guys,
I'm having troubles with HAProxy 1.6.3 and TLS ticket, so let me explain
here my case.
I'm running HAProxy 1.6.3 (since december) and all was running fine. TLS
ticket was explicitely disabled. The only downside of this setup is that
after each reload, I have a CPU spike for a few seconds. I thought this was
due to session renegociation (right ?)
A few days ago, I decided to activate TLS-Ticket and use option
tls-ticket-keys on bind lines. My hope was to remove this CPU spike, as
session renegociation should be faster.
But CPU usage doubled ! I disabled it by adding again
"ssl-default-bind-options no-tls-tickets" and CPU usage returned to normal.
>From the doc, I read that activating TLS ticket may use "slightly" more
CPU, but I hoped that using tickets file could help in this case.
Apparently I'm wrong.
Any detailed explanation and feedback would be really useful here.
Snippet of my config (I know I'm using old syntax for listen/bind) :
global
tune.ssl.default-dh-param 2048
tune.ssl.lifetime 100800
tune.ssl.cachesize 1000000
#ssl-default-bind-options no-tls-tickets
ssl-default-bind-ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384
:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-D
ES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!
DES:!MD5:!PSK:!RC4
listen xxxx:443
bind xxx:443 ssl crt /etc/ssl/ssl_xxx.pem no-sslv3 tls-ticket-keys
/tmp/tls_ticket_keys
server s107 xxx:80 check weight 5 fall 60
*******************
HAProxy version :
HA-Proxy version 1.6.3 2015/12/25
Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org>
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing
-Wdeclaration-after-statement
OPTIONS = USE_OPENSSL=1 USE_PCRE=1 USE_TFO=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity("identity")
Built with OpenSSL version : OpenSSL 1.0.2f 28 Jan 2016
Running on OpenSSL version : OpenSSL 1.0.2f 28 Jan 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.2 2007-06-19
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
*************************
And /tmp/tls_ticket_keys generated with "openssl rand -base64 48" called 3x
+ appended at each reload.
Olivier
