\o/ ... for HAProxy. Recent patches to make TLS faster:
- MINOR: ssl: add DEFAULT_SSL_MAX_RECORD to set the record size at build time
- MINOR: config: make the stream interface idle timer user-configurable
- MEDIUM: stream-int: automatically disable CF_STREAMER flags after idle
- MINOR: channel: add the date of last read in the channel
- OPTIM: ssl: implement dynamic record size adjustment
- MINOR: ssl: handshake optim for long certificate chains.
Last patch is for 4KB+ certs. Remaining patches implement dynamic record sizing.
- Default size is still 16K, but HAProxy can be built with DEFAULT_SSL_MAX_RECORD to reset that at build time.
- Record size can be changed via a config flag: tune.ssl.maxrecord
- Idle timeout controls how long the connection must be idle before record size is reset - defaults to 1000ms, can be controlled via tune.idletimer.
TL;DR: Checkout latest code, build it, and set your tune.ssl.maxrecord and tune.idletimer config flags.
@vitaoloureiro by changing your config to spdy/2 you might not have been using spdy at all if you were using Chrome. Chrome (version 38.0.2125.111) seems to pass the ALPN and NPN string of
http/1.1,spdy/3,spdy/3.1. If HA-Proxy advertisedspdy/2then the connection probably negotiatedhttp/1.1This chrome plugin has helped me when working on this.It is also worth noting that my version of chrome will negotiate spdy over alpn.
@igrigorik @beezly
npn and alpn work my selecting the first matching protocol in common.
If Chrome sends
http/1.1,spdy/3,spdy/3.1and HAProxy sendshttp/1.1,spdy/3.1, the winner will behttp/1.1.Another solution is to have HAProxy send
spdy/3.1,http/1.1.