Hi Oliver,
> Hello guys,
>
> I'm having troubles with HAProxy 1.6.3 and TLS ticket, so let me
> explain here my case.
>
> I'm running HAProxy 1.6.3 (since december) and all was running fine.
> TLS ticket was explicitely disabled. The only downside of this setup is
> that after each reload, I have a CPU spike for a few seconds. I thought
> this was due to session renegociation (right ?)
>
> A few days ago, I decided to activate TLS-Ticket and use option
> tls-ticket-keys on bind lines. My hope was to remove this CPU spike, as
> session renegociation should be faster.
> But CPU usage doubled ! I disabled it by adding again
> "ssl-default-bind-options no-tls-tickets" and CPU usage returned to
> normal.
Ok, when you say CPU usage double do you mean the CPU usage after
a reload/restart, or do you mean CPU usage in general (even after not
reloading haproxy)?
> And /tmp/tls_ticket_keys generated with "openssl rand -base64 48"
> called 3x + appended at each reload.
By calling it 3 times you are basically destroying the old keys making
sure that TLS tickets CANNOT be reused. You must only generate
a new key ONCE per reload.
Lukas
