\o/ ... for HAProxy. Recent patches to make TLS faster:
- MINOR: ssl: add DEFAULT_SSL_MAX_RECORD to set the record size at build time
- MINOR: config: make the stream interface idle timer user-configurable
- MEDIUM: stream-int: automatically disable CF_STREAMER flags after idle
- MINOR: channel: add the date of last read in the channel
- OPTIM: ssl: implement dynamic record size adjustment
- MINOR: ssl: handshake optim for long certificate chains.
Last patch is for 4KB+ certs. Remaining patches implement dynamic record sizing.
- Default size is still 16K, but HAProxy can be built with DEFAULT_SSL_MAX_RECORD to reset that at build time.
- Record size can be changed via a config flag: tune.ssl.maxrecord
- Idle timeout controls how long the connection must be idle before record size is reset - defaults to 1000ms, can be controlled via tune.idletimer.
TL;DR: Checkout latest code, build it, and set your tune.ssl.maxrecord and tune.idletimer config flags.
@beezly see http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-npn - should work. May be worth opening a bug on the HAProxy list to confirm that something hasn't gone awry in the routing.