show tls-keys

Display the secret keys used to encrypt TLS session tickets.

The load balancer supports this command and TLS session tickets only up to TLS 1.2. TLS 1.3 uses a different mechanism called Pre-shared Keys (PKS). During the TLS handshake, the client and load balancer agree on which version of TLS to use based on their mutual support.

Description Jump to heading #

TLS session tickets are enabled by default in the load balancer. However, the underlying OpenSSL library uses its own auto-generated key to encrypt the tickets unless you set the tls-ticket-keys parameter on the bind line in the frontend or listen section of your configuration. This parameter points to the file containing a list of your own secret keys to use upon startup.

Use show tls-keys to show the contents of your key file. You can also use the set ssl tls-key command to rotate in a new secret key without requiring a reload.

Examples Jump to heading #

In this example, we generate secret keys for a website named test.local.

1. Create a directory to hold your secret keys:

   nix
   sudo mkdir /etc/ssl/tls-ticket-keys

   nix
   sudo mkdir /etc/ssl/tls-ticket-keys

2. Generate three secret keys and store them in the file /etc/ssl/tls-ticket-keys/test.local.key by calling the following command three times:

   nix
   echo "`openssl rand 80 | openssl base64 -A`" | \
     sudo tee -a /etc/ssl/tls-ticket-keys/test.local.key > /dev/null

   nix
   echo "`openssl rand 80 | openssl base64 -A`" | \
     sudo tee -a /etc/ssl/tls-ticket-keys/test.local.key > /dev/null

3. Add the tls-ticket-keys parameter to the bind line in the frontend or listen section of your configuration.

   This points to the file containing a list of secret keys to use upon startup.

   haproxy
   frontend fe_main
     bind :80
     bind :443 ssl  crt /etc/hapee-3.1/certs/site.pem  tls-ticket-keys /etc/ssl/tls-ticket-keys/test.local.key
     http-request redirect scheme https unless { ssl_fc }
     default_backend webservers

   haproxy
   frontend fe_main
     bind :80
     bind :443 ssl  crt /etc/hapee-3.1/certs/site.pem  tls-ticket-keys /etc/ssl/tls-ticket-keys/test.local.key
     http-request redirect scheme https unless { ssl_fc }
     default_backend webservers

4. Call show tls-keys with no parameters to list all key files:

   nix
   echo "show tls-keys" | \
     sudo socat stdio tcp4-connect:127.0.0.1:9999

   nix
   echo "show tls-keys" | \
     sudo socat stdio tcp4-connect:127.0.0.1:9999

   output
   text
   # id (file)
   0 (/etc/ssl/tls-ticket-keys/test.local.key)

   output
   text
   # id (file)
   0 (/etc/ssl/tls-ticket-keys/test.local.key)

5. To view the keys in a file, call show tls-keys with the path to the file (or its numeric ID):

   nix
   echo "show tls-keys /etc/ssl/tls-ticket-keys/test.local.key" | \
     sudo socat stdio tcp4-connect:127.0.0.1:9999

   nix
   echo "show tls-keys /etc/ssl/tls-ticket-keys/test.local.key" | \
     sudo socat stdio tcp4-connect:127.0.0.1:9999

   output
   text
   # id secret
   # 0 (/etc/ssl/tls-ticket-keys/test.local.key)
   0.0 foNecGaN+zlgI3TlsT/pLJ9d7ZRoSZ2nmXZq29BSRWIErYTwK1RfZs3XfImaruR8ovJ1lAmZxiE2+tHSwypa7Cqq01hczTn2EN1C3anecys=
   0.1 7VsH1P4H/N8MOLewQMOMOPjDa8ZCddHzLYe7JH/ydhg8JIO8yf1rg7JqAUbN2WoTzFlY0MhQKQSibARLQk1Ff0Ki12dma1/L7/W5xtgQANQ=
   0.2 BiSBxvngSPguqzteXXxCk8WrnimwCSuOapx4koBv01Bei8N00HuJIBce8w324xsYhiUpxcF4RbR6nGoMXOf1LkboQykFPnohTYOgfy4SPFE=

   output
   text
   # id secret
   # 0 (/etc/ssl/tls-ticket-keys/test.local.key)
   0.0 foNecGaN+zlgI3TlsT/pLJ9d7ZRoSZ2nmXZq29BSRWIErYTwK1RfZs3XfImaruR8ovJ1lAmZxiE2+tHSwypa7Cqq01hczTn2EN1C3anecys=
   0.1 7VsH1P4H/N8MOLewQMOMOPjDa8ZCddHzLYe7JH/ydhg8JIO8yf1rg7JqAUbN2WoTzFlY0MhQKQSibARLQk1Ff0Ki12dma1/L7/W5xtgQANQ=
   0.2 BiSBxvngSPguqzteXXxCk8WrnimwCSuOapx4koBv01Bei8N00HuJIBce8w324xsYhiUpxcF4RbR6nGoMXOf1LkboQykFPnohTYOgfy4SPFE=

See also Jump to heading #

• set ssl cert
• set ssl ocsp-response
• set ssl tls-key