Re: Increase SSL Key Generation after upgrade from 2.4.15 to 2.4.17
It took us a while to upgrade the environment to a newer version. I can confirm that the anomaly mentioned earlier was related to the timeouts set. A *timeout http-keep-alive *configuration change was required on 2.4.19, to avoid negative impact on the growth of the ssl key generated. - * timeout http-keep-alive 500* + timeout http-keep-alive 40s timeout client 40s timeout server 40s This case may have been specific to our configuration, but perhaps someone on the list will have a similar situation and will find it easier to resolve. Thank you for your earlier help. Regards Tomek pon., 23 maj 2022 o 11:27 Tomasz Ludwiczak napisał(a): > Thank you for your reply > > I think it is related to these changes and the configuration we have for > timeouts. > > > http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=f5b2c3f1e65f57782afe30981031f122bd8ee24c > > > http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=211fc0b5b060bc7b1f83e6514a8ceaeda7e65ee0 > > modehttp > option allbackups > timeout http-request 5s > *timeout http-keep-alive 500* > timeout connect 5000 > timeout client 40s > timeout server 40s > maxconn 10 > > We will try to confirm this and let you know. > > -- > regards > Tomek > > pt., 20 maj 2022 o 23:26 Willy Tarreau napisał(a): > >> Hi Tomasz, >> >> On Fri, May 20, 2022 at 05:17:19PM +0200, Tomasz Ludwiczak wrote: >> > Hi, >> > >> > I am seeing an increase in SSL Key Generation after upgrading from >> 2.4.15 >> > to 2.4.17. I have not changed the openssl version. Does anyone have an >> idea >> > what this could be related to? >> > I have looked at the changes from 2.4.16 and 2.4.17 and nothing obvious >> > pointing to changes around TLS reuse. >> >> Interesting, I've reviewed the fixes merged between the two and cannot >> find anything relevant. Do you have copies of the "show info" output >> before the upgrade to compare before and after ? There are SSL lookups >> and misses there. These could give some hints about what is happening. >> Have you tried reverting to 2.4.15 to see if the problem disappears ? >> We could for example imagine that it's concommittant with another change >> that happened during the same upgrade (e.g. openssl lib upgrade), even >> if I would find it unlikely as well. Are you certain you didn't change >> any tuning option in the config between the two versions ? For example >> reducing the size of the SSL session cache could make a difference. >> >> It would be useful if you could also test with 2.4.16 to help figure if >> that's related to a change between 2.4.15->16 or 2.4.16->17. >> >> Regards, >> Willy >> >
Re: Increase SSL Key Generation after upgrade from 2.4.15 to 2.4.17
Thank you for your reply I think it is related to these changes and the configuration we have for timeouts. http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=f5b2c3f1e65f57782afe30981031f122bd8ee24c http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=211fc0b5b060bc7b1f83e6514a8ceaeda7e65ee0 modehttp option allbackups timeout http-request 5s *timeout http-keep-alive 500* timeout connect 5000 timeout client 40s timeout server 40s maxconn 10 We will try to confirm this and let you know. -- regards Tomek pt., 20 maj 2022 o 23:26 Willy Tarreau napisał(a): > Hi Tomasz, > > On Fri, May 20, 2022 at 05:17:19PM +0200, Tomasz Ludwiczak wrote: > > Hi, > > > > I am seeing an increase in SSL Key Generation after upgrading from 2.4.15 > > to 2.4.17. I have not changed the openssl version. Does anyone have an > idea > > what this could be related to? > > I have looked at the changes from 2.4.16 and 2.4.17 and nothing obvious > > pointing to changes around TLS reuse. > > Interesting, I've reviewed the fixes merged between the two and cannot > find anything relevant. Do you have copies of the "show info" output > before the upgrade to compare before and after ? There are SSL lookups > and misses there. These could give some hints about what is happening. > Have you tried reverting to 2.4.15 to see if the problem disappears ? > We could for example imagine that it's concommittant with another change > that happened during the same upgrade (e.g. openssl lib upgrade), even > if I would find it unlikely as well. Are you certain you didn't change > any tuning option in the config between the two versions ? For example > reducing the size of the SSL session cache could make a difference. > > It would be useful if you could also test with 2.4.16 to help figure if > that's related to a change between 2.4.15->16 or 2.4.16->17. > > Regards, > Willy >
Increase SSL Key Generation after upgrade from 2.4.15 to 2.4.17
Hi, I am seeing an increase in SSL Key Generation after upgrading from 2.4.15 to 2.4.17. I have not changed the openssl version. Does anyone have an idea what this could be related to? I have looked at the changes from 2.4.16 and 2.4.17 and nothing obvious pointing to changes around TLS reuse. [image: image.png] haproxy -vvv HAProxy version 2.4.17-9f97155 2022/05/13 - https://haproxy.org/ Status: long-term supported branch - will stop receiving fixes around Q2 2026. Known bugs: http://www.haproxy.org/bugs/bugs-2.4.17.html Running on: Linux 4.15.0-173-generic #182-Ubuntu SMP Fri Mar 18 15:53:46 UTC 2022 x86_64 Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -DMAX_SESS_STKCTR=12 OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_DL=1 DEBUG = Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=4). Built with OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022 Running on OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with network namespace support. Built with zlib version : 1.2.11 Running on zlib version : 1.2.11 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.39 2021-10-29 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 7.5.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as cannot be specified using 'proto' keyword) h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG fcgi : mode=HTTP side=BEmux=FCGI flags=HTX|HOL_RISK|NO_UPG : mode=HTTP side=FE|BE mux=H1 flags=HTX h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG : mode=TCPside=FE|BE mux=PASS flags= none : mode=TCPside=FE|BE mux=PASS flags=NO_UPG Available services : none Available filters : [SPOE] spoe [CACHE] cache [FCGI] fcgi-app [COMP] compression [TRACE] trace -- regards Tomek Ludwiczak