Re: Increase SSL Key Generation after upgrade from 2.4.15 to 2.4.17
It took us a while to upgrade the environment to a newer version. I can confirm that the anomaly mentioned earlier was related to the timeouts set. A *timeout http-keep-alive *configuration change was required on 2.4.19, to avoid negative impact on the growth of the ssl key generated. - * timeout http-keep-alive 500* + timeout http-keep-alive 40s timeout client 40s timeout server 40s This case may have been specific to our configuration, but perhaps someone on the list will have a similar situation and will find it easier to resolve. Thank you for your earlier help. Regards Tomek pon., 23 maj 2022 o 11:27 Tomasz Ludwiczak napisał(a): > Thank you for your reply > > I think it is related to these changes and the configuration we have for > timeouts. > > > http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=f5b2c3f1e65f57782afe30981031f122bd8ee24c > > > http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=211fc0b5b060bc7b1f83e6514a8ceaeda7e65ee0 > > modehttp > option allbackups > timeout http-request 5s > *timeout http-keep-alive 500* > timeout connect 5000 > timeout client 40s > timeout server 40s > maxconn 10 > > We will try to confirm this and let you know. > > -- > regards > Tomek > > pt., 20 maj 2022 o 23:26 Willy Tarreau napisał(a): > >> Hi Tomasz, >> >> On Fri, May 20, 2022 at 05:17:19PM +0200, Tomasz Ludwiczak wrote: >> > Hi, >> > >> > I am seeing an increase in SSL Key Generation after upgrading from >> 2.4.15 >> > to 2.4.17. I have not changed the openssl version. Does anyone have an >> idea >> > what this could be related to? >> > I have looked at the changes from 2.4.16 and 2.4.17 and nothing obvious >> > pointing to changes around TLS reuse. >> >> Interesting, I've reviewed the fixes merged between the two and cannot >> find anything relevant. Do you have copies of the "show info" output >> before the upgrade to compare before and after ? There are SSL lookups >> and misses there. These could give some hints about what is happening. >> Have you tried reverting to 2.4.15 to see if the problem disappears ? >> We could for example imagine that it's concommittant with another change >> that happened during the same upgrade (e.g. openssl lib upgrade), even >> if I would find it unlikely as well. Are you certain you didn't change >> any tuning option in the config between the two versions ? For example >> reducing the size of the SSL session cache could make a difference. >> >> It would be useful if you could also test with 2.4.16 to help figure if >> that's related to a change between 2.4.15->16 or 2.4.16->17. >> >> Regards, >> Willy >> >
Re: Increase SSL Key Generation after upgrade from 2.4.15 to 2.4.17
Thank you for your reply I think it is related to these changes and the configuration we have for timeouts. http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=f5b2c3f1e65f57782afe30981031f122bd8ee24c http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=211fc0b5b060bc7b1f83e6514a8ceaeda7e65ee0 modehttp option allbackups timeout http-request 5s *timeout http-keep-alive 500* timeout connect 5000 timeout client 40s timeout server 40s maxconn 10 We will try to confirm this and let you know. -- regards Tomek pt., 20 maj 2022 o 23:26 Willy Tarreau napisał(a): > Hi Tomasz, > > On Fri, May 20, 2022 at 05:17:19PM +0200, Tomasz Ludwiczak wrote: > > Hi, > > > > I am seeing an increase in SSL Key Generation after upgrading from 2.4.15 > > to 2.4.17. I have not changed the openssl version. Does anyone have an > idea > > what this could be related to? > > I have looked at the changes from 2.4.16 and 2.4.17 and nothing obvious > > pointing to changes around TLS reuse. > > Interesting, I've reviewed the fixes merged between the two and cannot > find anything relevant. Do you have copies of the "show info" output > before the upgrade to compare before and after ? There are SSL lookups > and misses there. These could give some hints about what is happening. > Have you tried reverting to 2.4.15 to see if the problem disappears ? > We could for example imagine that it's concommittant with another change > that happened during the same upgrade (e.g. openssl lib upgrade), even > if I would find it unlikely as well. Are you certain you didn't change > any tuning option in the config between the two versions ? For example > reducing the size of the SSL session cache could make a difference. > > It would be useful if you could also test with 2.4.16 to help figure if > that's related to a change between 2.4.15->16 or 2.4.16->17. > > Regards, > Willy >
Increase SSL Key Generation after upgrade from 2.4.15 to 2.4.17
Hi,
I am seeing an increase in SSL Key Generation after upgrading from 2.4.15
to 2.4.17. I have not changed the openssl version. Does anyone have an idea
what this could be related to?
I have looked at the changes from 2.4.16 and 2.4.17 and nothing obvious
pointing to changes around TLS reuse.
[image: image.png]
haproxy -vvv
HAProxy version 2.4.17-9f97155 2022/05/13 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2
2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.17.html
Running on: Linux 4.15.0-173-generic #182-Ubuntu SMP Fri Mar 18 15:53:46
UTC 2022 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered
-Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value
-Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -DMAX_SESS_STKCTR=12
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1
USE_LUA=1 USE_ZLIB=1 USE_DL=1
DEBUG =
Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT
+POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE
-STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H
+GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ
+CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD
-OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX
-MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022
Running on OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with PCRE2 version : 10.39 2021-10-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 7.5.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2
flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BEmux=FCGI
flags=HTX|HOL_RISK|NO_UPG
: mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1
flags=HTX|NO_UPG
: mode=TCPside=FE|BE mux=PASS flags=
none : mode=TCPside=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
--
regards
Tomek Ludwiczak
