Olivier Doucet reported the issue on the ML and tested that when using more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher than expected.
Lukas Tribus then provided a test case which showed that resumption doesn't work at all in that case. This fix needs to be backported to 1.6. Signed-off-by: Nenad Merdanovic <[email protected]> --- src/ssl_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1017388..994cdcc 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5406,8 +5406,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px fclose(f); /* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */ - i-=2; - keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i; + i -= 2; + keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i % TLS_TICKETS_NO; keys_ref->unique_id = -1; conf->keys_ref = keys_ref; -- 2.7.0
