iOS Safari fails to connect when bud uses SNI/contexts and automatically disables SSL resumption cache

[doublerebel]

Hello,

One of my users noticed today that a website I front with bud was not loading on iOS Safari. I ran my site through the SSLLabs test and it was still passing with an A so I went looking for other answers.

Luckily I found this LetsEncrypt forum post, it seems iOS Safari fails to connect to nginx too, when SSL caching is not enabled. Nobody seems to know why this happens but there are more reports of it. Like here where they do not even realize ssl cache is the difference in the configs. I checked my SSLLabs report and sure enough ssl caching was disabled.

Went to the bud source, commented out the offending line in contexts.c, rebuilt bud and sure enough all is working again on iOS Safari.

I use SNI to load multiple LetsEncrypt certs from hashicorp/vault, it's fantastic. But I'm not running a cluster of buds, just one bud with multiple workers.

Conclusion:

I think we should expose ssl caching so user can set it in the config.

It would be even more ideal to expose an interface for caching, to be shared using a backend like Memcached or Redis. I understand why tickets are more ideal in a cluster, but unfortunately we are stuck with whatever Apple gives us.

Sidenote:

Do you have a rough number for how many connections bud can support before it needs to be run in a cluster?

Thanks again for bud, the code is so straightforward all issues are easy to triage!

EDIT: I'm pretty sure this only started being an issue for me with iOS 10, I just updated my devices within the last month and haven't checked my websites since then. But this is my unscientific anecdote.

[indutny]

Hello Charles!

Glad to hear that you use bud!

This session situation sounds really interesting, I'll take a deep look at it this week and we'll figure out the best solution for it!

Thank you,
Fedor.

[indutny]

@doublerebel I'm having troubles reproducing this in iOS 10.1 simulator. This the config that I have used:

{
  "workers": 0,
  "log": {
    "level": "debug",
    "facility": "user",
    "stdio": true,
    "syslog": false
  },
  "frontend": {
    "port": 1443,
    "host": "0.0.0.0",
    "npn": ["http/1.1", "http/1.0"],
    "cert": "keys/cert.pem",
    "key": "keys/key.pem"
  },
  "balance": "sni",
  "backend": [{
    "port": 3001,
    "host": "127.0.0.1",
    "keepalive": 3600,
    "proxyline": false,
    "x-forward": false
  }],
  "contexts": [{
    "servername": "localhost.paypal.com",
    "cert": "keys/cert.pem",
    "key": "keys/key.pem",
    "npn": ["http/1.1", "http/1.0"],
    "backend": [{
      "port": 3000,
      "host": "127.0.0.1",
      "keepalive": 3600
    }]
  }]
}

Are you using async SNI, or synchronous SNI? Does synchronous work for you?