Greetings, We have been load testing 1.8.3 and noticed SSL caching was broken in 1.8 during the shctx refactoring.
New SSL connections will cache up until tune.ssl.cachesize, then no connections will ever be cached again. In haproxy 1.7 and before, the SSL cache works correctly as a LRU cache. Example configuration file, haproxy-ssl-cache.cfg, with cachesize set to 3 to easily reproduce: global ssl-default-bind-ciphers HIGH:!aNULL:!MD5 ssl-default-bind-options no-sslv3 no-tls-tickets tune.ssl.default-dh-param 2048 tune.ssl.cachesize 3 tune.ssl.lifetime 60 defaults stats enable stats uri /haproxy/stats frontend some-frontend bind :8443 ssl crt self-signed.pem mode http timeout client 15s timeout http-request 15s use_backend some-backend backend some-backend mode http timeout connect 1s timeout queue 0s timeout server 1s server some-server 127.0.0.1:8091 check Example script to build and test on macosx: srcdir=haproxy-1.8 # Install openssl library brew install openssl # Build HAProxy with OpenSSL support make -C $srcdir TARGET=osx USE_OPENSSL=1 SSL_INC=/usr/local/opt/openssl/include SSL_LIB=/usr/local/opt/openssl/lib USE_ZLIB=1 # Generate self signed cert openssl req -newkey rsa:2048 -nodes -keyout self-signed.key -x509 -days 365 -out self-signed.crt -subj "/C=US/ST=Pennsylvania/L=Philadelphia/O=HAProxy/OU=QA/CN=localhost" cat self-signed.crt self-signed.key >>self-signed.pem # Run HAProxy $srcdir/haproxy -f haproxy-ssl-cache.cfg & # Demonstrate failure to cache new sessions after cache fills openssl s_client -connect localhost:8443 -reconnect -no_ticket </dev/null 2>verify.err | egrep 'New|Reused' # PASS: 1 New, 5 Reused openssl s_client -connect localhost:8443 -reconnect -no_ticket </dev/null 2>verify.err | egrep 'New|Reused' # PASS: 1 New, 5 Reused openssl s_client -connect localhost:8443 -reconnect -no_ticket </dev/null 2>verify.err | egrep 'New|Reused' # PASS: 1 New, 5 Reused openssl s_client -connect localhost:8443 -reconnect -no_ticket </dev/null 2>verify.err | egrep 'New|Reused' # FAIL: 6 New # Demonstrate failure to evict old entries from cache sleep 65 openssl s_client -connect localhost:8443 -reconnect -no_ticket </dev/null 2>verify.err | egrep 'New|Reused' # FAIL: 6 New This appears to independent of target & openssl version, we have reproduced on linux2628 openssl 1.0.1k-fips and osx openssl 1.0.2n. Any insights appreciated. Thanks, Jeffrey J. Persch