Reference

show tls-keys

Display the secret keys used to encrypt TLS session tickets.

The load balancer supports this command and TLS session tickets only up to TLS 1.2. TLS 1.3 uses a different mechanism called Pre-shared Keys (PKS). During the TLS handshake, the client and load balancer agree on which version of TLS to use based on their mutual support.

Description Jump to heading

TLS session tickets are enabled by default in the load balancer. However, the underlying OpenSSL library uses its own auto-generated key to encrypt the tickets unless you set the tls-ticket-keys parameter on the bind line in the frontend or listen section of your configuration. This parameter points to the file containing a list of your own secret keys to use upon startup.

Use show tls-keys to show the contents of your key file. You can also use the set ssl tls-key command to rotate in a new secret key without requiring a reload.

Examples Jump to heading

In this example, we generate secret keys for a website named test.local.

  1. Create a directory to hold your secret keys:

    bash
    sudo mkdir /etc/ssl/tls-ticket-keys
    bash
    sudo mkdir /etc/ssl/tls-ticket-keys
  2. Generate three secret keys and store them in the file /etc/ssl/tls-ticket-keys/test.local.key by calling the following command three times:

    bash
    echo "`openssl rand 80 | openssl base64 -A`" | \
    sudo tee -a /etc/ssl/tls-ticket-keys/test.local.key > /dev/null
    bash
    echo "`openssl rand 80 | openssl base64 -A`" | \
    sudo tee -a /etc/ssl/tls-ticket-keys/test.local.key > /dev/null
  3. Add the tls-ticket-keys parameter to the bind line in the frontend or listen section of your configuration.

    This points to the file containing a list of secret keys to use upon startup.

    haproxy
    frontend fe_main
    bind :80
    bind :443 ssl crt /etc/hapee-2.8/certs/site.pem tls-ticket-keys /etc/ssl/tls-ticket-keys/test.local.key
    http-request redirect scheme https unless { ssl_fc }
    default_backend webservers
    haproxy
    frontend fe_main
    bind :80
    bind :443 ssl crt /etc/hapee-2.8/certs/site.pem tls-ticket-keys /etc/ssl/tls-ticket-keys/test.local.key
    http-request redirect scheme https unless { ssl_fc }
    default_backend webservers
  4. Call show tls-keys with no parameters to list all key files:

    bash
    echo "show tls-keys" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    bash
    echo "show tls-keys" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    bash
    # id (file)
    0 (/etc/ssl/tls-ticket-keys/test.local.key)
    output
    bash
    # id (file)
    0 (/etc/ssl/tls-ticket-keys/test.local.key)
  5. To view the keys in a file, call show tls-keys with the path to the file (or its numeric ID):

    bash
    echo "show tls-keys /etc/ssl/tls-ticket-keys/test.local.key" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    bash
    echo "show tls-keys /etc/ssl/tls-ticket-keys/test.local.key" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    bash
    # id secret
    # 0 (/etc/ssl/tls-ticket-keys/test.local.key)
    0.0 foNecGaN+zlgI3TlsT/pLJ9d7ZRoSZ2nmXZq29BSRWIErYTwK1RfZs3XfImaruR8ovJ1lAmZxiE2+tHSwypa7Cqq01hczTn2EN1C3anecys=
    0.1 7VsH1P4H/N8MOLewQMOMOPjDa8ZCddHzLYe7JH/ydhg8JIO8yf1rg7JqAUbN2WoTzFlY0MhQKQSibARLQk1Ff0Ki12dma1/L7/W5xtgQANQ=
    0.2 BiSBxvngSPguqzteXXxCk8WrnimwCSuOapx4koBv01Bei8N00HuJIBce8w324xsYhiUpxcF4RbR6nGoMXOf1LkboQykFPnohTYOgfy4SPFE=
    output
    bash
    # id secret
    # 0 (/etc/ssl/tls-ticket-keys/test.local.key)
    0.0 foNecGaN+zlgI3TlsT/pLJ9d7ZRoSZ2nmXZq29BSRWIErYTwK1RfZs3XfImaruR8ovJ1lAmZxiE2+tHSwypa7Cqq01hczTn2EN1C3anecys=
    0.1 7VsH1P4H/N8MOLewQMOMOPjDa8ZCddHzLYe7JH/ydhg8JIO8yf1rg7JqAUbN2WoTzFlY0MhQKQSibARLQk1Ff0Ki12dma1/L7/W5xtgQANQ=
    0.2 BiSBxvngSPguqzteXXxCk8WrnimwCSuOapx4koBv01Bei8N00HuJIBce8w324xsYhiUpxcF4RbR6nGoMXOf1LkboQykFPnohTYOgfy4SPFE=

See also Jump to heading

If this page was useful, please, Leave the feedback.

© 2023 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences