I have been benchmarking the haproxy SSL implementation for the past few days and the results are very impressive. We have multiple ssl terminators setup for redundancy and capacity. I took one of our terminators and was able to get around 9500 new terminations a second with a 2048 bit cert using stunnel + haproxy with accept-proxy. Doing the same test with haproxy I was able to get around 11500 new TPS with the same 2048 bit cert!
I know that there is a shared cache across multiple processes on the same box. Are there any plans on implementing/consuming a shared SSL cache across multiple systems? Stunnel has a sessiond implementation: http://www.stunnel.org/sessiond.html We have a set of hardware load balancers operating in layer 4 which balance traffic across our multiple ssl terminator servers. Currently we use stunnel's sessiond so that they can all share the same ssl session cache. One option would be to configure our layer 4 load balancer to keep ip sessions sticky so that the same ip address lands on the same ssl terminator every time, but this causes uneven load across the multiple ssl terminators. Is this feature something that is feasible? Thanks, David T.
