Re: `ssl_fc_has_early` fetcher and 0rtt

2020-09-09 Thread William Dauchy
> > That seems strange indeed but looking at the code that's what I'm > > seeing. Was your access to ssl_fc_has_early placed before or after the > > rule above ? If it's after it must indeed report false. fetcher is placed before the rule > > I seem to remember there was one but can't find it, so

Re: `ssl_fc_has_early` fetcher and 0rtt

2020-09-09 Thread Willy Tarreau
On Wed, Sep 09, 2020 at 05:43:08PM +0200, Olivier Houchard wrote: > > I seem to remember there was one but can't find it, so I may have been > > confused. With this said, it doesn't provide a big information since > > once the handshake is completed, it's exactly identical to a regular > > one. But

Re: `ssl_fc_has_early` fetcher and 0rtt

2020-09-09 Thread Olivier Houchard
On Wed, Sep 09, 2020 at 05:35:28PM +0200, Willy Tarreau wrote: > On Wed, Sep 09, 2020 at 04:57:58PM +0200, William Dauchy wrote: > > > I think it's not easy to reproduce these tests, you need a high enough > > > latency between haproxy and the client so that the handshake is not > > > already compl

Re: `ssl_fc_has_early` fetcher and 0rtt

2020-09-09 Thread Willy Tarreau
On Wed, Sep 09, 2020 at 04:57:58PM +0200, William Dauchy wrote: > > I think it's not easy to reproduce these tests, you need a high enough > > latency between haproxy and the client so that the handshake is not > > already completed when you evaluate the rule, and of course you need > > to make sur

Re: `ssl_fc_has_early` fetcher and 0rtt

2020-09-09 Thread William Dauchy
Hello Willy, Thank you for your answer, On Wed, Sep 9, 2020 at 4:39 PM Willy Tarreau wrote: > If I remember well, the principle consists in detecting whether or not > the request was received using TLS early data (0-rtt) before the handshake > was completed. The problem is that early data may tr

Re: `ssl_fc_has_early` fetcher and 0rtt

2020-09-09 Thread Willy Tarreau
Hi William! On Wed, Sep 09, 2020 at 12:02:03PM +0200, William Dauchy wrote: > On Wed, Sep 9, 2020 at 10:48 AM William Dauchy wrote: > > I'm trying to understand `ssl_fc_has_early` fetcher behavior as I'm > > unable to find a single request where it returns 1. > > (sorry, forgot to mention, all o

Re: `ssl_fc_has_early` fetcher and 0rtt

2020-09-09 Thread William Dauchy
On Wed, Sep 9, 2020 at 10:48 AM William Dauchy wrote: > I'm trying to understand `ssl_fc_has_early` fetcher behavior as I'm > unable to find a single request where it returns 1. (sorry, forgot to mention, all of these tests were done on v2.2.x) -- William