HAProxy 1.8.3 SSL caching regression

Wed, 03 Jan 2018 09:06:10 -0800 

Greetings,

We have been load testing 1.8.3 and noticed SSL caching was broken in 1.8
during the shctx refactoring.

New SSL connections will cache up until tune.ssl.cachesize, then no
connections will ever be cached again.

In haproxy 1.7 and before, the SSL cache works correctly as a LRU cache.


Example configuration file, haproxy-ssl-cache.cfg, with cachesize set to 3
to easily reproduce:

global
    ssl-default-bind-ciphers HIGH:!aNULL:!MD5
    ssl-default-bind-options no-sslv3 no-tls-tickets
    tune.ssl.default-dh-param 2048
    tune.ssl.cachesize 3
    tune.ssl.lifetime 60

defaults
    stats enable
    stats uri /haproxy/stats

frontend some-frontend
    bind :8443 ssl crt self-signed.pem
    mode http
    timeout client 15s
    timeout http-request 15s
    use_backend some-backend

backend some-backend
    mode http
    timeout connect 1s
    timeout queue 0s
    timeout server 1s
    server some-server 127.0.0.1:8091 check


Example script to build and test on macosx:

srcdir=haproxy-1.8

# Install openssl library
brew install openssl

# Build HAProxy with OpenSSL support
make -C $srcdir TARGET=osx USE_OPENSSL=1
SSL_INC=/usr/local/opt/openssl/include
SSL_LIB=/usr/local/opt/openssl/lib USE_ZLIB=1

# Generate self signed cert
openssl req -newkey rsa:2048 -nodes -keyout self-signed.key -x509
-days 365 -out self-signed.crt -subj
"/C=US/ST=Pennsylvania/L=Philadelphia/O=HAProxy/OU=QA/CN=localhost"
cat self-signed.crt self-signed.key >>self-signed.pem

# Run HAProxy
$srcdir/haproxy -f haproxy-ssl-cache.cfg &

# Demonstrate failure to cache new sessions after cache fills
openssl s_client -connect localhost:8443 -reconnect -no_ticket
</dev/null 2>verify.err | egrep 'New|Reused' # PASS: 1 New, 5 Reused
openssl s_client -connect localhost:8443 -reconnect -no_ticket
</dev/null 2>verify.err | egrep 'New|Reused' # PASS: 1 New, 5 Reused
openssl s_client -connect localhost:8443 -reconnect -no_ticket
</dev/null 2>verify.err | egrep 'New|Reused' # PASS: 1 New, 5 Reused
openssl s_client -connect localhost:8443 -reconnect -no_ticket
</dev/null 2>verify.err | egrep 'New|Reused' # FAIL: 6 New

# Demonstrate failure to evict old entries from cache
sleep 65
openssl s_client -connect localhost:8443 -reconnect -no_ticket
</dev/null 2>verify.err | egrep 'New|Reused' # FAIL: 6 New


This appears to independent of target & openssl version, we have reproduced
on linux2628 openssl 1.0.1k-fips and osx openssl 1.0.2n.

Any insights appreciated.

Thanks,
Jeffrey J. Persch

Reply via email to