Hi again I just saw that I posted an error in the 2.2.4 config file, this should be the correct one:
----------------------------------------------------------------------------------------------------------------- global # Disable SSLv3 and, for now, TLS 1.3 ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2 # Lower default dh param (remove this once java7 is no longer a problem) tune.ssl.default-dh-param 1024 # For TLS <= 1.2 (if enabled) # Per https://wiki.mozilla.org/Security/Server_Side_TLS, configuration: old (backward compatibility), remove DHE-* and DES-* ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA # For TLS = 1.3 (if enabled) # Per https://wiki.mozilla.org/Security/Server_Side_TLS, configuration: modern (compatibility) ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 tune.ssl.lifetime 24h tune.ssl.cachesize 100000 ----------------------------------------------------------------------------------------------------------------- Best regards Johan -----Original Message----- From: Lukas Tribus <[email protected]> Sent: den 3 februari 2021 14:03 To: Johan Andersson <[email protected]> Cc: [email protected] Subject: Re: SSL session resumption Hello Johan, we are gonna need the outputs of "haproxy -vv" from both situations, as well as at the very least *all* the ssl configuration parameters in haproxy that you are using. However, I do not believe it is likely that we can find the root cause, without access to those handshakes, since it cannot be reproduced by openssl s_client. What definitely changed in haproxy 2.2 is that the default minimum TLS version is now 1.2. To rollback to TLS 1.0 you can configure: global ssl-default-bind-options ssl-min-ver TLSv1.0 Regards, Lukas On Wed, 3 Feb 2021 at 13:36, Johan Andersson <[email protected]> wrote: > > To whom it may concern > > > > We have recently upgraded out HAProxy version from 2.1.3 to 2.2.4. > > After the upgrade we got customer complaints that the data usage of their > devices had gone up. Our company sells proprietary hardware that logs data > and sends that to a web service which we host. These devices are often > deployed remotely and connected via shaky 3G connections with data-capped SIM > cards, so low data usage is very important. > > After some digging with Wireshark, we found that the SSL sessions are not > resumed. Instead a new handshake is initiated every time the device sends > data. Which is typically once an hour. > > We have set the global tune.ssl.lifetime parameter to 24h and the > tune.ssl.cachesize to 100000 and this has worked since HAProxy version 1.6.9 > when we first introduced it. > > We have also tested with the latest 2.1.11 release of HAProxy and it behaves > the same way as the 2.1.3 version. We have also tested with 2.2.0 and 2.2.8 > and they behave the same as 2.2.4. > > > > We have tried reproducing this with openssl s_client, saving the session id > between requests but can’t reproduce it that way. > > We have also pored over the change logs between versions to see if there is > some change that could make HAProxy behave this way. > > > > We’re at a loss here, what could cause this behavior, and how can we fix it? > > > > > > Best regards > > > > Johan Andersson > > Development Engineer > > Global Platforms Cloud Team > > > > HMS Industrial Networks AB > > Stationsgatan 37, Box 4126 > > 300 04 Halmstad, Sweden > > > > Email: [email protected] > > > > > > HALMSTAD | BARCELONA | BEIJING | BOSTON | BUCHEN | CHICAGO | COVENTRY > | DEN BOSCH | DUBAI | IGUALADA | > > KARLSRUHE | MILAN | MULHOUSE | NIVELLES | PUNE | RAVENSBURG | SEOUL | > SINGAPORE | TOKYO | WETZLAR > >
