HAProxy on their wiki are pretty critic regarding OpenSSL 3.x performance:
OpenSSL 3.x is basically only usable for personal sites. Users seeking anything serious performance-wise will need to stay on version 1.1.1 provided by their vendor
On the other hand https://openssl-library.org/performance.html claims similar performance for TLS handshakes between OpenSSL 1.1.1 and OpenSSL 3.4 using 10 threads and slightly better performance of 3.4 for 100 threads, while OpenSSL 3.0 is still considerably slower than 1.1.1 or 3.4:
Debian Trixie already ships OpenSSL 3.4 and HAProxy 3.0 (LTS) linked against OpenSSL 3.4:
$ haproxy -vv HAProxy version 3.0.9-1 2025/03/22 - https://haproxy.org/ Status: long-term supported branch - will stop receiving fixes around Q2 2029. Known bugs: http://www.haproxy.org/bugs/bugs-3.0.9.html Running on: Linux 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64 Build options : TARGET = linux-glibc CC = x86_64-linux-gnu-gcc CFLAGS = -O2 -g -fwrapv -g -O2 -Werror=implicit-function-declaration -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 OPTIONS = USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_SYSTEMD=1 USE_OT=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_QUIC_OPENSSL_COMPAT=1 DEBUG = Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL +OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT +RT +SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=16). Built with OpenSSL version : OpenSSL 3.4.1 11 Feb 2025 Running on OpenSSL version : OpenSSL 3.4.1 11 Feb 2025 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 OpenSSL providers loaded : default Built with Lua version : Lua 5.4.7 Built with the Prometheus exporter as a service Built with network namespace support. Built with OpenTracing support. Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.45 2025-02-05 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 14.2.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG <default> : mode=TCP side=FE|BE mux=PASS flags= none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG Available services : prometheus-exporter Available filters : [BWLIM] bwlim-in [BWLIM] bwlim-out [CACHE] cache [COMP] compression [FCGI] fcgi-app [ OT] opentracing [SPOE] spoe [TRACE] trace
The goal of this task is validating the performance of HAProxy+OpenSSL 3.4 in our current cp hosts running bullseye, ideally targeting HAProxy 2.8 and if not possible, with 3.0