Bump, any last feedback regarding my previous email? On Wed, Aug 12, 2015 at 1:54 PM, Brian Geffon <briangef...@gmail.com> wrote:
> I'd like to close the loop on this discussion. In general I believe there > is a consensus that perhaps ssl_multicert is not the place to deal with > ticket rotation and that if you're willing to have global session tickets > (meaning not tied to a specific domain) then the implementation that would > accomplish this would be trivial compared to the current approach where > rotation would happen with traffic_line -x on a per domain basis coming > from ssl_multicert. Which I strongly agree with if this is something that > most people believe would remain secure and is acceptable...? Additionally, > in the long run if something more complicated was required we could > implement it via early ssl hooks and a plugin. > > Does this accurately sum things up? > > Nikhil / Bret, do you guys think rotating a global ticket file via > records.config works both from a security and operational standpoint? > > Thanks everyone for the great feedback! > Brian > > On Fri, Aug 7, 2015 at 1:10 AM, Bret Palsson <bre...@gmail.com> wrote: > >> On Thu, Aug 6, 2015 at 10:08 AM, James Peach <jpe...@apache.org> wrote: >> >> > >> > > On Aug 6, 2015, at 9:56 AM, Leif Hedstrom <zw...@apache.org> wrote: >> > > >> > > >> > >> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> wrote: >> > >> >> > >> >> > >>> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs < >> > shinr...@network-geographics.com> wrote: >> > >>> >> > >>> I would argue that the specification of the session ticket key in >> the >> > ssl_multicert.config file is inappropriate at least as the primary >> > mechanism. It seems that for the common case, you don't need to use >> > different session keys for different domains. You could specify one key >> > file set in records.config. >> > >> >> > >> Yes, I think this is a promising approach. >> > > >> > > >> > > I like that too. I don’t know how easily this can be done as an >> > overridable configuration, without introducing a lot of additional >> > complexity (remember, the HttpSM needs to generally be available for >> you to >> > use overridable configs). >> > >> > You can't override this at the HTTP layer since you already had to deal >> > with session tickets when you terminated the TLS session. >> > >> > > If it can’t be overridable, would it make sense to have an API as well >> > for this? Such that a plugin can set the session keys, which would then >> let >> > you manage the rotation in any way that you seem fit. >> > >> > It would be great to have more flexibility in TLS. As I may have implied >> > before, I think ssl_multicert.config is stretching the limits of what it >> > can reasonably express :) >> > >> >> I very much agree with this! >> >> >> > J >> >> >> >> >> -- >> Bret Palsson | https://cobook.co/bretep >> > >
