On Fri, Jun 11, 2021 at 06:48:09PM -0600, Shawn Heisey wrote: > I'm fiddling with ssl labs to see how I can improve my TLS setup. > > Here's what they say about a site I have behind haproxy with TLS: > > https://www.elyograg.org/foo/haproxy-ssllabs-session-resumption-not-working.png > > They claim that session resumption isn't working. I'm hoping that I've just > done something wrong... which will be bad for my ego but great for getting > problems fixed. I did have the option to disable tls tickets, but when I > took it out, my ssl labs grade didn't go down, so it's still not there. > > This is what I have in the global section: > > global > log 127.0.0.1 len 65535 format rfc5424 local0 > log 127.0.0.1 len 65535 format rfc5424 local1 notice > maxconn 4096 > daemon > spread-checks 2 > tune.bufsize 65536 > tune.http.logurilen 49152 > tune.ssl.cachesize 100000 > tune.ssl.lifetime 900 > ssl-server-verify none > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM > ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 > ssl-default-server-ciphers > RC4-MD5:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:AES256-SHA:AES256-SHA256 > stats socket /etc/haproxy/stats.socket > > I don't think there's anything else in the config that could affect this, > but if there is something that would help diagnose, let me know.
I don't know if the config is responsible for this but I've just tested on haproxy.org and it does work there: Session resumption (caching) Yes Session resumption (tickets) Yes Our bind line looks like this: bind :443 ssl alpn h2,http/1.1 npn h2,http/1.1 no-sslv3 crt ... ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS:!EDH ecdhe prime256v1 and we don't have any ssl-default-* nor tune.ssl.* setting. Maybe you could start bisecting among these parameters. Willy