We’re having issues upgrading from ubuntu 20.04 to ubuntu 22.04.
After test different haproxy versions (the one shipped by ubuntu, 2.4, and 2.7.3) and different openssl versions (the one shipped by ubuntu, 3.0.2, and 3.0.7) we always see blocking issues in the TLS handsake under high load.
Same configuration, ubuntu 20.04 with OpenSSL 1.1.1, no problem at all.
Unfortunately there is no solution, other than to downgrade. Openssl 3.0 is extremely problematic for multi-threading loads, this has nothing to do with haproxy but with changes within openssl 3.0 itself, please see:
If we were about to test the today release of openssl, which introduces locking/performance ([0]) improvements… do we need to compile haproxy against the new openssl? or it’s enough if we substitute the operative system openssl and libssl? (haproxy -vv shows it’s compiled against openssl 3.0.2)