Hey Olivier, Can you try the attached patch? I need to run some more tests, but I think this should fix it.
Regards, Nenad On 3/24/2016 10:05 PM, Olivier Doucet wrote: > Hi again, > > > 2016-03-24 21:15 GMT+01:00 Lukas Tribus <luky...@hotmail.com > <mailto:luky...@hotmail.com>>: > > Hi Nenad, > > > >> Well, its not supposed to look like this, there is clearly something > >> wrong. Master key fluctuates between the requests with TLS tickets > >> and the reuse collumn shows failure. > > > > Looks like a haproxy bug, I think I can reproduce it. > > > > Can you try with EXACTLY 3 keys in /tmp/tls_ticket_keys? > > > Tried and now behaviour is like expected ! > https://gist.github.com/anonymous/779fbc4f1cf8b23e9b1f > > And, I can confirm that now, CPU is not doubled \o/ > > > > > > there seems to be a bug in the handling of the tls-ticket-keys file. > > When there are 5 or more ticket keys in the file, clients using TLS > tickets > can no longer resume the TLS session (and fallback to full negotiation): > > https://gist.github.com/anonymous/6ec7c863f497cfd849a4 > > > Workaround would be to remove the oldest key from the file, so > that the number of keys in the file remains below 5. > > That's what I did : keep last 2 keys and add a new one. > > Olivier
From 074792e61070c8fae16cd0b2fae4dfb6e6eeff7a Mon Sep 17 00:00:00 2001 From: Nenad Merdanovic <nmer...@anine.io> Date: Fri, 25 Mar 2016 11:14:43 +0100 Subject: [PATCH] BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present Olivier Doucet reported the issue on the ML and tested that when using more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher than expected. Lukas Tribus then provided a test case which showed that resumption doesn't work at all in that case. This fix needs to be backported to 1.6. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- src/ssl_sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1017388..767d6e9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5406,7 +5406,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px fclose(f); /* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */ - i-=2; + i = (i - 2) % TLS_TICKETS_NO; keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i; keys_ref->unique_id = -1; conf->keys_ref = keys_ref; -- 2.7.0