Seamless reloads: SSL handshake failures


#1

Apache benchmark shows a lot of SSL failures during reloads. Failures appear after a reload is finished.

Possibly, it is not a problem, because conditions are very specific and the same shows also qdisc-method.

SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL read failed (1) - closing connection
139687255426944:error:140E0197:SSL routines:SSL_shutdown:shutdown while in init:…/ssl/ssl_lib.c:1735:

Conditions:

  • Debian 8 x64, 4.9, systemd + HA-Proxy version 1.8.3-a91f55-27 (USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1)
  • 30 test-threads + extremely low-end CPU + RSA-4096 to make it slow (about 25 requests \ sec, request time 1-1.5 sec)
  • Very large cfg-file with a lot of backends and big lua-includes

#2

Try without threads please and if that doesn’t help try compiling without thread support (make […] USE_THREADS=).


#3
  • I haven’t used threads or multi-processes

  • #a91f55 can’t be compilled without threads, so I’ve switched to #f17eea8 and it’s the same


#4

In addition

  • Average reload time 2-3s
  • I’ve tested also in faster conditions (0.1-0.5s\request). It happens less often. Like 1-2 times per 10 reloads one-by-one (each “time” is 1-10 failed handshakes and\or 1 failed read)