On 6/17/2021 1:01 AM, Willy Tarreau wrote:
I don't know if the config is responsible for this but I've just tested
on haproxy.org and it does work there:
Session resumption (caching) Yes
Session resumption (tickets) Yes
Many thanks to everyone who replied, and countless people who published
comments and articles on the Internet. You're awesome.
I've managed to get my SSL Labs grade to A+. I really like testssl.sh.
I've only got one remaining yellow item on the testssl report:
BREACH (CVE-2013-3587) potentially NOT ok, "gzip"
HTTP compression detected. - only supplied "/" tested
This is what SSL Labs now says for the thing that started this thread:
Session resumption (caching) No (IDs assigned but not accepted)
Session resumption (tickets) Yes
I'd like to get the caching item fixed, but I haven't figured that out
yet. Hoping that getting the tickets working is enough for most
clients. Not that I feel TLS is slow at all, seems zippy enough. Any
chance that the problem is my openssl library rather than haproxy? It's
stock Ubuntu 18. Here's the openssl info from haproxy -vv:
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
As for the list of functional clients that SSL Labs generates, people
using IE on anything older than Windows 10 are out of luck with my web
pages, as are those using Safari 8 and below. Java 6 and 7 are also
unsupported. I really do not care about people using those clients.
Upgrade your Java version or get a better browser.
Thanks,
Shawn
