On 2/6/2015 5:48 AM, Dennis Jacobfeuerborn wrote: > Has somebody ever posted a working example configuration for haproxy > that applies the improvements mentioned in the video? > I tried to implement these recommendations but didn't seem to get > results I was expecting. How exactly does one reliably test that the > 1-RTT handshake is actually working?
Running on Ubuntu 14, I have used a bind configuration like this: bind W.X.Y.Z:443 ssl crt testcert.pem npn http/1.1 The system includes an hourly cronjob that grabs the ocsp response, which haproxy (or maybe it's openssl) automatically staples into the certificate sent to the client. This config reduced the SSL negotiation time greatly when compared to haproxy on a CentOS 6 install, which uses a very old openssl version and cannot do NPN. I do not remember whether it was 1-RTT, but I don't think it was. I have these options in global: ssl-default-bind-ciphers ALL:!DH:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM ssl-default-server-ciphers RC4-MD5 Thanks, Shawn