2016-03-24 12:57 GMT+01:00 Lukas Tribus <luky...@hotmail.com>: > > Ok, when you say CPU usage double do you mean the CPU usage after > > a reload/restart, or do you mean CPU usage in general (even after not > > reloading haproxy)? > > CPU is at 100% just after reload for more than 30s (was a few seconds > > before) and then CPU usage stays doubled all the time. > > Ok, so it looks like resumption doesn't work at all with TLS tickets. > > Are you sure the haproxy reload works fine - no old haproxy instances > run in the background serving obsolete TLS keys? > Yes, I'm sure.
> There have been some bugs with reloading haproxy, fixed in 1.6.4. > I recompiled HAProxy with latest version and OpenSSL 1.0.2g. I activated tls-ticket and CPU usage doubled again. I tried a reload then, and CPU stays stable. So at least the reload problem with CPU at 100% seems resolved. But I do not understand why using TLS-tickets is using so much more CPUs (I hoped it would be "slightly" higher, not doubled). BTW, servers are 2x Intel Xeon L5630 @ 2.13GHz and certificates issued are all SHA256RSA. I will use ECDSA certificates in the future, I was just waiting for transparent support of ECDSA/RSA certificates in HAProxy (done in 1.7, just waiting for the stable release on this). > If thats not it, and no old haproxy instances are present after the > reload, could you compile Vincent's rfc5077-client from [1]: > Output can be find here : https://gist.github.com/anonymous/6ec7c863f497cfd849a4 (HTTP 500 error is normal, as you are using HEAD / HTTP/1.0 and our web servers require a Host header) Olivier
