2016-03-25 11:35 GMT+01:00 Nenad Merdanovic <nmer...@anine.io>: > Hey Olivier, > > Can you try the attached patch? I need to run some more tests, but I > think this should fix it. >
A summary of all tests performed : WITHOUT PATCH: With 0 ticket in file : HAProxy refuse to start " '/tmp/tls_ticket_keys' : please supply at least 3 keys in the tls-tickets-file" With 1 ticket in file : HAProxy refuses to start (same) With 2 tickets in file : HAProxy refuses to start (same) With 3 tickets in file : working as expected (reuse OK) With 4 tickets in file : working as expected (reuse OK) With 5 tickets in file : no more session reuse WITH PATCH "0001-BUG-MEDIUM-Fix-RFC5077-resumption-when-more-than-TLS.patch" : With 0 ticket in file : HAProxy refuse to start " '/tmp/tls_ticket_keys' : please supply at least 3 keys in the tls-tickets-file" With 1 ticket in file : HAProxy refuses to start (same) With 2 tickets in file : HAProxy refuses to start (same) With 3 tickets in file : working as expected (reuse OK) With 4 tickets in file : working as expected (reuse OK) With 5 tickets in file : working as expected (reuse OK) With 6 tickets in file : working as expected (reuse OK) Many thanks to you all, and to Vincent Bernat for the tool rfc5077-client Olivier > Regards, > Nenad > > On 3/24/2016 10:05 PM, Olivier Doucet wrote: > > Hi again, > > > > > > 2016-03-24 21:15 GMT+01:00 Lukas Tribus <luky...@hotmail.com > > <mailto:luky...@hotmail.com>>: > > > > Hi Nenad, > > > > > > >> Well, its not supposed to look like this, there is clearly > something > > >> wrong. Master key fluctuates between the requests with TLS tickets > > >> and the reuse collumn shows failure. > > > > > > Looks like a haproxy bug, I think I can reproduce it. > > > > > > Can you try with EXACTLY 3 keys in /tmp/tls_ticket_keys? > > > > > > Tried and now behaviour is like expected ! > > https://gist.github.com/anonymous/779fbc4f1cf8b23e9b1f > > > > And, I can confirm that now, CPU is not doubled \o/ > > > > > > > > > > > > there seems to be a bug in the handling of the tls-ticket-keys file. > > > > When there are 5 or more ticket keys in the file, clients using TLS > > tickets > > can no longer resume the TLS session (and fallback to full > negotiation): > > > > https://gist.github.com/anonymous/6ec7c863f497cfd849a4 > > > > > > Workaround would be to remove the oldest key from the file, so > > that the number of keys in the file remains below 5. > > > > That's what I did : keep last 2 keys and add a new one. > > > > Olivier >