2016-03-30 21:22 GMT+02:00 Lukas Tribus <[email protected]>: > Hi Janusz, > >> So there is no difference. Session ID based resumption works ok, >> ticket based resumption is kinda broken in both versions. Are tickets >> supposed to work properly with nbproc>1? > > I just tested it here, ticket based resumption works fine for me with > nbproxy>1 in both 1.5.16 and current 1.7 head. > > Since you are also seeing it in 1.5.15, that doesn't seem to be the > cause of this problem, but its is something you will have to fix > because the CPU impact of broken resumption is plenty. > > > You can disable tls ticket for now, since you probably want to > troubleshoot the first issue, as per Nenad's suggestion.
About the CPU problem. Reverting 7610073a indeed fixes my problem. If anyone has any idea what is the problem with this commit I am willing to test patches:) Some more details about my setup. All servers have moderate traffic (200-500mbit/s in peak). I do both plain HTTP and HTTPS + some small traffic in TCP mode (also both with and without TLS). I also make an extensive use of unix sockets for HTTP/2 support (decrypted HTTP/2 traffic is routed via unix socket to nghttpx and then arrives back on another socket as HTTP/1.1). I am well aware that broken resumption is a bad thing. However, I've looked though haproxy 1.5 code and I quite don't understand how tickets are supposed to work with nbproc>1. The only code related to TLS tickets in 1.5 is the code to disable them. Otherwise OpenSSL defaults are used, which means OpenSSL will generate a random key to encrypt/decrypt tickets. Unless I've missed something it means that each haproxy process will have different keys and tickets will not work across different processes. Are you sure that during your tests traffic hit at least two different processes? If a single one accepted all the connections then resumption with tickets will work, it will break as soon as another process accepts resumption attempt. -- Janusz Dziemidowicz
