> I am well aware that broken resumption is a bad thing. However, I've > looked though haproxy 1.5 code and I quite don't understand how > tickets are supposed to work with nbproc>1. The only code related to > TLS tickets in 1.5 is the code to disable them. Otherwise OpenSSL > defaults are used, which means OpenSSL will generate a random key to > encrypt/decrypt tickets. Unless I've missed something it means that > each haproxy process will have different keys and tickets will not > work across different processes. > Are you sure that during your tests traffic hit at least two different > processes? If a single one accepted all the connections then > resumption with tickets will work, it will break as soon as another > process accepts resumption attempt.
Pretty sure, I killed one process after another in between the tests. I also compiled with USE_PRIVATE_CACHE=1 to disable inter process session ID caching, and I can see that session caching definitely fails (which is expected if hitting different proccesses with private cache) while tls ticketing works fine: https://gist.github.com/lukastribus/b1815c392512b42167f7578e085a422f Nenad, can you confirm or clarify expected tls ticketing behavior in nbproc mode when openssl is generating the tls ticket key? thanks, lukas
