Re: SSL Labs says my server isn't doing ssl session resumption

Thu, 17 Jun 2021 00:02:11 -0700 

On Fri, Jun 11, 2021 at 06:48:09PM -0600, Shawn Heisey wrote:
> I'm fiddling with ssl labs to see how I can improve my TLS setup.
> 
> Here's what they say about a site I have behind haproxy with TLS:
> 
> https://www.elyograg.org/foo/haproxy-ssllabs-session-resumption-not-working.png
> 
> They claim that session resumption isn't working.  I'm hoping that I've just
> done something wrong... which will be bad for my ego but great for getting
> problems fixed.  I did have the option to disable tls tickets, but when I
> took it out, my ssl labs grade didn't go down, so it's still not there.
> 
> This is what I have in the global section:
> 
> global
>         log 127.0.0.1   len 65535 format rfc5424 local0
>         log 127.0.0.1   len 65535 format rfc5424 local1 notice
>         maxconn 4096
>         daemon
>         spread-checks   2
>         tune.bufsize    65536
>         tune.http.logurilen     49152
>         tune.ssl.cachesize 100000
>         tune.ssl.lifetime       900
>         ssl-server-verify       none
>         tune.ssl.default-dh-param       2048
>         ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
>         ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
>         ssl-default-server-ciphers
> RC4-MD5:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:AES256-SHA:AES256-SHA256
>         stats socket /etc/haproxy/stats.socket
> 
> I don't think there's anything else in the config that could affect this,
> but if there is something that would help diagnose, let me know.

I don't know if the config is responsible for this but I've just tested
on haproxy.org and it does work there:

  Session resumption (caching)  Yes
  Session resumption (tickets)  Yes

Our bind line looks like this:

        bind            :443 ssl alpn h2,http/1.1 npn h2,http/1.1 no-sslv3 crt 
... ciphers 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS:!EDH
 ecdhe prime256v1

and we don't have any ssl-default-* nor tune.ssl.* setting. Maybe you
could start bisecting among these parameters.

Willy

Reply via email to