Hi Emeric,
On 3/8/19 11:24 AM, Emeric Brun wrote:
Are you sure that servers won't use ECDSA certificates? Do you check that conn
are successful forcing 'ECDHE-RSA-AES256-GCM-SHA384'
Backend servers only support TLS 1.2 and RSA certificates.
Could you check algo supported by QAT doing this ?:
openssl engine -c qat
# /opt/booking-openssl/bin/openssl engine -c qat
(qat) Reference implementation of QAT crypto engine
[RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256,
AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF]
Could you retry with this config:
ssl-engine qat algo RSA,DSA,EC,DH
Just did that and experienced the very same effect: no QAT activity for
backend server healthchecks :-( When I add frontend eg.
frontend frontend1
bind 127.0.0.1:8443 ssl crt
/etc/lb_engine/data/generated/ssl/10.252.24.7:443
default_backend pool_all
and make some connections/requests (TLS1.2 and/or TLS/1.3) to the
frontend I see QAT activity, but *NO* activity when HAProxy is "idle"
(only doing healthchecks to backend servers: TLS 1.2 only).
This feels like healthchecks are not passing through QAT engine for
whatever reason :-( Even enabling HTTP check for the backend (option
httpchk) does not make any difference.
The question: Is SSL Async Mode actually supported on the backend side
(either healthchecks and/or normal traffic) ?
Regards,
Marcin Deranek