Bug 2373189
| Summary: | [Cephadm][RGW-QAT]: Ingress over QAT fails if the backend RGW also has QAT enabled | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Tejas <tchandra> |
| Component: | Build | Assignee: | Justin Caratzas <jcaratza> |
| Status: | CLOSED UPSTREAM | QA Contact: | Vinayak Papnoi <vpapnoi> |
| Severity: | high | Docs Contact: | Rivka Pollack <rpollack> |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | adking, akane, cephqe-warriors, kdeb, mkasturi, rkachach, rpollack, sabose, saraut, sohsingh |
| Target Milestone: | --- | ||
| Target Release: | 9.0z1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
.QAT cannot be used for TLS offload or acceleration mode together with SSL set
Enabling QAT on HAProxy with SSL enabled injects legacy OpenSSL engine directives. The legacy OpenSSL engine path breaks the TLS handshake, emitting the `tlsv1 alert internal error` error. With the TLS handshake broken, the TLS termination fails.
As a workaround, disable the QAT at HAProxy in order to keep the TLS handshake.
Set the configuration file specifications as follows:
* `haproxy_qat_support: false`
* `ssl: true`
As a result, QAT is disabled and the HAProxy TLS works as expected.
NOTE: Under heavy connection rates higher CPU usage may be seen versus QAT-offloaded handshakes.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-03-04 09:53:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2388233 | ||
|
Description
Tejas
2025-06-17 15:29:10 UTC
This product has been discontinued or is no longer tracked in Red Hat Bugzilla. |