On 2/6/2015 5:48 AM, Dennis Jacobfeuerborn wrote:
> Has somebody ever posted a working example configuration for haproxy
> that applies the improvements mentioned in the video?
> I tried to implement these recommendations but didn't seem to get
> results I was expecting. How exactly does one reliably test that the
> 1-RTT handshake is actually working?

Running on Ubuntu 14, I have used a bind configuration like this:

bind W.X.Y.Z:443 ssl crt testcert.pem npn http/1.1

The system includes an hourly cronjob that grabs the ocsp response,
which haproxy (or maybe it's openssl) automatically staples into the
certificate sent to the client.

This config reduced the SSL negotiation time greatly when compared to
haproxy on a CentOS 6 install, which uses a very old openssl version and
cannot do NPN.  I do not remember whether it was 1-RTT, but I don't
think it was.

I have these options in global:

        ssl-default-bind-ciphers
ALL:!DH:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
        ssl-default-server-ciphers      RC4-MD5

Thanks,
Shawn


Reply via email to