I'd like to close the loop on this discussion. In general I believe there is a consensus that perhaps ssl_multicert is not the place to deal with ticket rotation and that if you're willing to have global session tickets (meaning not tied to a specific domain) then the implementation that would accomplish this would be trivial compared to the current approach where rotation would happen with traffic_line -x on a per domain basis coming from ssl_multicert. Which I strongly agree with if this is something that most people believe would remain secure and is acceptable...? Additionally, in the long run if something more complicated was required we could implement it via early ssl hooks and a plugin.
Does this accurately sum things up? Nikhil / Bret, do you guys think rotating a global ticket file via records.config works both from a security and operational standpoint? Thanks everyone for the great feedback! Brian On Fri, Aug 7, 2015 at 1:10 AM, Bret Palsson <bre...@gmail.com> wrote: > On Thu, Aug 6, 2015 at 10:08 AM, James Peach <jpe...@apache.org> wrote: > > > > > > On Aug 6, 2015, at 9:56 AM, Leif Hedstrom <zw...@apache.org> wrote: > > > > > > > > >> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> wrote: > > >> > > >> > > >>> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs < > > shinr...@network-geographics.com> wrote: > > >>> > > >>> I would argue that the specification of the session ticket key in the > > ssl_multicert.config file is inappropriate at least as the primary > > mechanism. It seems that for the common case, you don't need to use > > different session keys for different domains. You could specify one key > > file set in records.config. > > >> > > >> Yes, I think this is a promising approach. > > > > > > > > > I like that too. I don’t know how easily this can be done as an > > overridable configuration, without introducing a lot of additional > > complexity (remember, the HttpSM needs to generally be available for you > to > > use overridable configs). > > > > You can't override this at the HTTP layer since you already had to deal > > with session tickets when you terminated the TLS session. > > > > > If it can’t be overridable, would it make sense to have an API as well > > for this? Such that a plugin can set the session keys, which would then > let > > you manage the rotation in any way that you seem fit. > > > > It would be great to have more flexibility in TLS. As I may have implied > > before, I think ssl_multicert.config is stretching the limits of what it > > can reasonably express :) > > > > I very much agree with this! > > > > J > > > > > -- > Bret Palsson | https://cobook.co/bretep >
