2016-03-31 12:21 GMT+02:00 Lukas Tribus <[email protected]>: > Pretty sure, I killed one process after another in between the tests. > > I also compiled with USE_PRIVATE_CACHE=1 to disable inter process > session ID caching, and I can see that session caching definitely > fails (which is expected if hitting different proccesses with private cache) > while tls ticketing works fine: > > https://gist.github.com/lukastribus/b1815c392512b42167f7578e085a422f > > > Nenad, can you confirm or clarify expected tls ticketing behavior > in nbproc mode when openssl is generating the tls ticket key?
OK, I've launched vanilla haproxy 1.6.4 from Debian testing and I believe I know what is going on. If I configure a single listening socket, like this: bind :443 ssl alpn http/1.1 crt /etc/ssl/snakeoil.pem everything works fine, including tickets. However, if I configure multiple listening sockets, to take advantage of SO_REUSEPORT (and that is exactly what I have on my production haproxy 1.5): bind :443 process 1 ssl alpn http/1.1 crt /etc/ssl/snakeoil.pem bind :443 process 2 ssl alpn http/1.1 crt /etc/ssl/snakeoil.pem bind :443 process 3 ssl alpn http/1.1 crt /etc/ssl/snakeoil.pem bind :443 process 4 ssl alpn http/1.1 crt /etc/ssl/snakeoil.pem Then tickets do not work properly. Session ID based resumption works correctly in both cases, which might be a bit confusing for users. Obviously, on 1.6 I can use tls-ticket-keys which makes tickets work properly in all cases. -- Janusz Dziemidowicz
