HAProxy community

Ssl options and tls1.3

Hello,

I’m currently doing a load test on haproxy and I try to understand the impact of different TLS configurations. One thing that is not clear for me is session resumption options for TLS 1.3. It seems that there is no specific option for it. For previous versions, there is the “no-tls-tickets” option, which also implies that the session id mechanism is activated, with its associated storage. Do these options play a role in TLS 1.3 despite the different implementation ? Is there data stored on the haproxy side ?

Regards,
Arnaud

No, TLSv1.2 resumption uses 2 different methods. Session ID caching (ID’s saved serer side), and TLS tickets (session ID’s encrypted and saved client side), no-tls-tickets refers to the latter.

You are right, there is not.

TLSv1.3 session tickets use OpenSSL defaults and are not configurable (openssl defaults are to send 2 tickets on the full handshake and one ticket after resumption).

Tickets (TLSv1.2 and TLSv1.3) are not saved server side.

I’d say there is not point in touching those low level TLSv1.3 parameters.

Ha, yes what I meant was that even if you set no-tls-tickets you are still using session ID caching unless you also disable it (the “implies” was wrong).
Thank you very much for your explanation on TLS 1.3. I think this would be a nice complement in the doc.

Regards,
Arnaud