Reference
show tls-keys
Display the secret keys used to encrypt TLS session tickets.
The load balancer supports this command and TLS session tickets only up to TLS 1.2. TLS 1.3 uses a different mechanism called Pre-shared Keys (PKS). During the TLS handshake, the client and load balancer agree on which version of TLS to use based on their mutual support.
Description Jump to heading
TLS session tickets are enabled by default in the load balancer. However, the underlying OpenSSL library uses its own auto-generated key to encrypt the tickets unless you set the tls-ticket-keys
parameter on the bind
line in the frontend
or listen
section of your configuration. This parameter points to the file containing a list of your own secret keys to use upon startup.
Use show tls-keys
to show the contents of your key file. You can also use the set ssl tls-key
command to rotate in a new secret key without requiring a reload.
Examples Jump to heading
In this example, we generate secret keys for a website named test.local
.
-
Create a directory to hold your secret keys:
nixsudo mkdir /etc/ssl/tls-ticket-keysnixsudo mkdir /etc/ssl/tls-ticket-keys -
Generate three secret keys and store them in the file
/etc/ssl/tls-ticket-keys/test.local.key
by calling the following command three times:nixecho "`openssl rand 80 | openssl base64 -A`" | \sudo tee -a /etc/ssl/tls-ticket-keys/test.local.key > /dev/nullnixecho "`openssl rand 80 | openssl base64 -A`" | \sudo tee -a /etc/ssl/tls-ticket-keys/test.local.key > /dev/null -
Add the
tls-ticket-keys
parameter to thebind
line in thefrontend
orlisten
section of your configuration.This points to the file containing a list of secret keys to use upon startup.
haproxyfrontend fe_mainbind :80bind :443 ssl crt /etc/hapee-2.9/certs/site.pem tls-ticket-keys /etc/ssl/tls-ticket-keys/test.local.keyhttp-request redirect scheme https unless { ssl_fc }default_backend webservershaproxyfrontend fe_mainbind :80bind :443 ssl crt /etc/hapee-2.9/certs/site.pem tls-ticket-keys /etc/ssl/tls-ticket-keys/test.local.keyhttp-request redirect scheme https unless { ssl_fc }default_backend webservers -
Call
show tls-keys
with no parameters to list all key files:nixecho "show tls-keys" | \sudo socat stdio tcp4-connect:127.0.0.1:9999nixecho "show tls-keys" | \sudo socat stdio tcp4-connect:127.0.0.1:9999outputtext# id (file)0 (/etc/ssl/tls-ticket-keys/test.local.key)outputtext# id (file)0 (/etc/ssl/tls-ticket-keys/test.local.key) -
To view the keys in a file, call
show tls-keys
with the path to the file (or its numeric ID):nixecho "show tls-keys /etc/ssl/tls-ticket-keys/test.local.key" | \sudo socat stdio tcp4-connect:127.0.0.1:9999nixecho "show tls-keys /etc/ssl/tls-ticket-keys/test.local.key" | \sudo socat stdio tcp4-connect:127.0.0.1:9999outputtext# id secret# 0 (/etc/ssl/tls-ticket-keys/test.local.key)0.0 foNecGaN+zlgI3TlsT/pLJ9d7ZRoSZ2nmXZq29BSRWIErYTwK1RfZs3XfImaruR8ovJ1lAmZxiE2+tHSwypa7Cqq01hczTn2EN1C3anecys=0.1 7VsH1P4H/N8MOLewQMOMOPjDa8ZCddHzLYe7JH/ydhg8JIO8yf1rg7JqAUbN2WoTzFlY0MhQKQSibARLQk1Ff0Ki12dma1/L7/W5xtgQANQ=0.2 BiSBxvngSPguqzteXXxCk8WrnimwCSuOapx4koBv01Bei8N00HuJIBce8w324xsYhiUpxcF4RbR6nGoMXOf1LkboQykFPnohTYOgfy4SPFE=outputtext# id secret# 0 (/etc/ssl/tls-ticket-keys/test.local.key)0.0 foNecGaN+zlgI3TlsT/pLJ9d7ZRoSZ2nmXZq29BSRWIErYTwK1RfZs3XfImaruR8ovJ1lAmZxiE2+tHSwypa7Cqq01hczTn2EN1C3anecys=0.1 7VsH1P4H/N8MOLewQMOMOPjDa8ZCddHzLYe7JH/ydhg8JIO8yf1rg7JqAUbN2WoTzFlY0MhQKQSibARLQk1Ff0Ki12dma1/L7/W5xtgQANQ=0.2 BiSBxvngSPguqzteXXxCk8WrnimwCSuOapx4koBv01Bei8N00HuJIBce8w324xsYhiUpxcF4RbR6nGoMXOf1LkboQykFPnohTYOgfy4SPFE=
See also Jump to heading
Do you have any suggestions on how we can improve the content of this page?