Hi, all I have tested persistence on SSL session ID of haproxy-1.5-dev16. The main configuration of frontend and backend as below: frontend fe bind 172.22.16.112:443 ssl crt /home/fortiadc/ca-user-key.pem ca-file /home/fortiadc/ca-root.cer #verify required crl-file /home/fortiadc/ca-root-crl.cer maxconn 1048576 use_backend be unless
backend be balance roundrobin # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. # should be (44, 32) if sticking to SSL session ID ? stick on payload_lv(43,1) if clienthello # Learn on response if server hello. # should be (44, 32) if storing SSL session ID ? stick store-response payload_lv(43,1) if serverhello server 1 10.128.7.1:80 cookie cookie weight 1 maxconn 0 slowstart 0s server 2 127.0.0.1:80 cookie cookie weight 1 maxconn 0 slowstart 0s Both the acl and stick configurations are copied from introduction of 'stick store-response' in manual. After testing, I found that haproxy has not stored SSL session ID becaused of the acl 'clienthello' has not matched. >From the codes of SSL supporting, SSL_do_handshake() supplied by OpenSSL library was called to do whole SSL handshake. It means that haproxy doesn't have the chance to copy TCP payload during SSL handshake to session buffer. As a result, haproxy cannot check the data of handshake. Maybe we just check SSL hello type in SSL record data. In addition, I want to know that the main configuration should be like this if I want to stick on SSL session ID: stick on payload_lv(44,32) if clienthello stick store-response payload_lv(44,32) if serverhello I am also wondering that whether I used incorrect configuration to lead the failure or it is a bug indeed. Best Regards, Godbach