Re: Zero RTT in backend server side
Thanks Olivier, it worked now. If I don't make a serious wrong, can haproxy to do multiplexing connections from FE to a single connection to BE by using H2+TLS, then keep the connection to BE alive as long as possible, so we could omit handshakes? On Mon, Jun 24, 2019 at 5:56 PM Olivier Houchard wrote: > > Hi Igor, > > On Sun, Jun 23, 2019 at 08:42:46PM +0800, Igor Pav wrote: > > Hi Olivier, > > > > The `retry-on 0rtt-rejected` will only work in tcp mode, is that > > possible to let it work in http mode too? > > > > It should work with HTTP too. What may happen is you're using "alpn" on > the server line, and thus we have to wait until the handshake is done to > know if we're using H1 or H2, so we can't send early data, because we won't > know its format. > If you only want yo use H2, you can add "proto h2" on your server line, and > it should work. > > Regards, > > Olivier >
Re: Zero RTT in backend server side
Hi Igor, On Sun, Jun 23, 2019 at 08:42:46PM +0800, Igor Pav wrote: > Hi Olivier, > > The `retry-on 0rtt-rejected` will only work in tcp mode, is that > possible to let it work in http mode too? > It should work with HTTP too. What may happen is you're using "alpn" on the server line, and thus we have to wait until the handshake is done to know if we're using H1 or H2, so we can't send early data, because we won't know its format. If you only want yo use H2, you can add "proto h2" on your server line, and it should work. Regards, Olivier
Re: Zero RTT in backend server side
Hi Olivier, The `retry-on 0rtt-rejected` will only work in tcp mode, is that possible to let it work in http mode too? On Mon, May 6, 2019 at 4:37 AM Olivier Houchard wrote: > > Hi Igor, > > On Mon, May 06, 2019 at 12:26:33AM +0800, Igor Pav wrote: > > Hi, Olivier, thanks for the effort. So can we force the server always > > to carry data to remote via 0RTT like below scenario(to protect > > http2http in unsecured env)? > > > > listen http -- server default x.x ssl allow-0rtt (SSL) bind > > x.x ssl allow-0rtt -- http backend > > > > As it is currently, no. Haproxy will never attempt to use 0RTT on server > connections if the client didn't use 0RTT. > 2.0, however, which should be released in a not to distant future, will let > you do that, with the new "retry-on" feature. > > Regards, > > Olivier > >
Re: Zero RTT in backend server side
On Wed, May 15, 2019 at 2:10 PM Olivier Houchard wrote: > We usually only add options in ssl-default-bind-options that can later be > overriden on a per-bind basis, but right now, there's no option to disable > 0RTT. Thanks for the explanation! -- William
Re: Zero RTT in backend server side
Hi William, On Wed, May 15, 2019 at 01:10:37PM +0200, William Dauchy wrote: > Hello Olivier, > > In another subject related to 0rtt was wondering why it was not > available in ssl-default-bind-options? > We usually only add options in ssl-default-bind-options that can later be overriden on a per-bind basis, but right now, there's no option to disable 0RTT. Regards, Olivier
Re: Zero RTT in backend server side
Hello Olivier, In another subject related to 0rtt was wondering why it was not available in ssl-default-bind-options? Thanks, -- William
Re: Zero RTT in backend server side
Hi Igor, On Mon, May 06, 2019 at 12:26:33AM +0800, Igor Pav wrote: > Hi, Olivier, thanks for the effort. So can we force the server always > to carry data to remote via 0RTT like below scenario(to protect > http2http in unsecured env)? > > listen http -- server default x.x ssl allow-0rtt (SSL) bind > x.x ssl allow-0rtt -- http backend > As it is currently, no. Haproxy will never attempt to use 0RTT on server connections if the client didn't use 0RTT. 2.0, however, which should be released in a not to distant future, will let you do that, with the new "retry-on" feature. Regards, Olivier
Re: Zero RTT in backend server side
Hi, Olivier, thanks for the effort. So can we force the server always to carry data to remote via 0RTT like below scenario(to protect http2http in unsecured env)? listen http -- server default x.x ssl allow-0rtt (SSL) bind x.x ssl allow-0rtt -- http backend On Sat, May 4, 2019 at 3:06 AM Olivier Houchard wrote: > > Hi Igor, > > On Fri, May 03, 2019 at 05:21:50PM +0800, Igor Pav wrote: > > Just tested with openssl 1.1.1b and haproxy 1.9.7, it appears no > > success, you are right :) > > > > Indeed :) > I just pushed commit 010941f87605e8219d25becdbc652350a687d6a2 to master, that > let me do 0RTT both as server and as client. This should be backported to > 1.8 and 1.9 soon. > Please note, however, that we will only attempt to connect to a server > using 0RTT if the client did so, as we have to be sure the client support it, > in case it receives a 425. > This may change in 2.0, if we add the ability to retry failed requests. > > Regards, > > Olivier
Re: Zero RTT in backend server side
libressl is known to present "bigger than openssl-1.1.1" version (while lacking many features) let us wait for libressl+travis-ci patch approval сб, 4 мая 2019 г. в 00:09, Olivier Houchard : > Hi Igor, > > On Fri, May 03, 2019 at 05:21:50PM +0800, Igor Pav wrote: > > Just tested with openssl 1.1.1b and haproxy 1.9.7, it appears no > > success, you are right :) > > > > Indeed :) > I just pushed commit 010941f87605e8219d25becdbc652350a687d6a2 to master, > that > let me do 0RTT both as server and as client. This should be backported to > 1.8 and 1.9 soon. > Please note, however, that we will only attempt to connect to a server > using 0RTT if the client did so, as we have to be sure the client support > it, > in case it receives a 425. > This may change in 2.0, if we add the ability to retry failed requests. > > Regards, > > Olivier > >
Re: Zero RTT in backend server side
Just tested with openssl 1.1.1b and haproxy 1.9.7, it appears no success, you are right :) On Thu, May 2, 2019 at 8:45 PM Olivier Houchard wrote: > > Hi Igor, > > On Thu, May 02, 2019 at 08:39:58PM +0800, Igor Pav wrote: > > Hello, can we use TLS zero RTT in server-side now? Just want to reduce > > more latency when using SSL talk to the backend servers(also running > > haproxy). > > > > Thanks in advance. Regards > > > > It should work if you add "allow-0rtt" on your server line. However it hasn't > been tested for some time, and was written with a development version of > OpenSSL 1.1.1, so I wouldn't be entirely surprised if it didn't work anymore. > > Regards, > > Olivier
Re: Zero RTT in backend server side
Hi Igor, On Thu, May 02, 2019 at 08:39:58PM +0800, Igor Pav wrote: > Hello, can we use TLS zero RTT in server-side now? Just want to reduce > more latency when using SSL talk to the backend servers(also running > haproxy). > > Thanks in advance. Regards > It should work if you add "allow-0rtt" on your server line. However it hasn't been tested for some time, and was written with a development version of OpenSSL 1.1.1, so I wouldn't be entirely surprised if it didn't work anymore. Regards, Olivier
Zero RTT in backend server side
Hello, can we use TLS zero RTT in server-side now? Just want to reduce more latency when using SSL talk to the backend servers(also running haproxy). Thanks in advance. Regards
