On Sun, Jun 20, 2021 at 11:31:10PM +0200, Willy Tarreau wrote: > On Sun, Jun 20, 2021 at 11:16:15PM +0200, Lukas Tribus wrote: > > Hello Shawn, > > > > On Sun, 20 Jun 2021 at 14:03, Shawn Heisey <hapr...@elyograg.org> wrote: > > > > > > On 6/20/2021 1:52 AM, Lukas Tribus wrote: > > > > Can you try disabling threading, by putting nbthread 1 in your config? > > > > > > That didn't help. From testssl.sh: > > > > > > SSL Session ID support yes > > > Session Resumption Tickets: yes, ID: no > > > > It's a haproxy bug, affecting 2.4 releases, I've filed an issue in our > > tracker: > > > > https://github.com/haproxy/haproxy/issues/1297
Strangely, applying this method to haproxy.org still works for me: $ openssl s_client -connect haproxy.org:443 -reconnect -no_ticket -servername haproxy.org -tls1_2 2>/dev/null | grep -e "Cipher is" New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 So there might be something in the config or certificate that changes the behavior. Or it was accidently fixed in 2.5-dev but we've only recently upgraded it. Or maybe the libssl there. For now I have no idea what to check for so I think I'll first put a plain 2.4 there and try to reproduce. Willy