It took us a while to upgrade the environment to a newer version. I can confirm that the anomaly mentioned earlier was related to the timeouts set. A *timeout http-keep-alive *configuration change was required on 2.4.19, to avoid negative impact on the growth of the ssl key generated.
- * timeout http-keep-alive 500* + timeout http-keep-alive 40s timeout client 40s timeout server 40s This case may have been specific to our configuration, but perhaps someone on the list will have a similar situation and will find it easier to resolve. Thank you for your earlier help. Regards Tomek pon., 23 maj 2022 o 11:27 Tomasz Ludwiczak <to...@witryna.pl> napisał(a): > Thank you for your reply > > I think it is related to these changes and the configuration we have for > timeouts. > > > http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=f5b2c3f1e65f57782afe30981031f122bd8ee24c > > > http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=211fc0b5b060bc7b1f83e6514a8ceaeda7e65ee0 > > mode http > option allbackups > timeout http-request 5s > * timeout http-keep-alive 500* > timeout connect 5000 > timeout client 40s > timeout server 40s > maxconn 100000 > > We will try to confirm this and let you know. > > -- > regards > Tomek > > pt., 20 maj 2022 o 23:26 Willy Tarreau <w...@1wt.eu> napisał(a): > >> Hi Tomasz, >> >> On Fri, May 20, 2022 at 05:17:19PM +0200, Tomasz Ludwiczak wrote: >> > Hi, >> > >> > I am seeing an increase in SSL Key Generation after upgrading from >> 2.4.15 >> > to 2.4.17. I have not changed the openssl version. Does anyone have an >> idea >> > what this could be related to? >> > I have looked at the changes from 2.4.16 and 2.4.17 and nothing obvious >> > pointing to changes around TLS reuse. >> >> Interesting, I've reviewed the fixes merged between the two and cannot >> find anything relevant. Do you have copies of the "show info" output >> before the upgrade to compare before and after ? There are SSL lookups >> and misses there. These could give some hints about what is happening. >> Have you tried reverting to 2.4.15 to see if the problem disappears ? >> We could for example imagine that it's concommittant with another change >> that happened during the same upgrade (e.g. openssl lib upgrade), even >> if I would find it unlikely as well. Are you certain you didn't change >> any tuning option in the config between the two versions ? For example >> reducing the size of the SSL session cache could make a difference. >> >> It would be useful if you could also test with 2.4.16 to help figure if >> that's related to a change between 2.4.15->16 or 2.4.16->17. >> >> Regards, >> Willy >> >