I sent a response on Aug 12. Here was what I sent. Are my messages being moderated? I'm not seeing the email in the archives. https://mail-archives.apache.org/mod_mbox/trafficserver-dev/201508.mbox/browser
---------- Forwarded message ---------- From: Bret Palsson <bre...@gmail.com> Date: Wed, Aug 12, 2015 at 8:57 AM Subject: Re: TLS Session Ticket: Key Rotation To: dev@trafficserver.apache.org Brian: Thanks for summarizing this thread! That would work operationally. I think there still there needs to be a safe way to force a rotation without having to restart traffic_server and reloading all the configs via traffic_line -x. -Bret On Tue, Aug 11, 2015 at 10:54 PM, Brian Geffon <briangef...@gmail.com> wrote: > I'd like to close the loop on this discussion. In general I believe there > is a consensus that perhaps ssl_multicert is not the place to deal with > ticket rotation and that if you're willing to have global session tickets > (meaning not tied to a specific domain) then the implementation that would > accomplish this would be trivial compared to the current approach where > rotation would happen with traffic_line -x on a per domain basis coming > from ssl_multicert. Which I strongly agree with if this is something that > most people believe would remain secure and is acceptable...? Additionally, > in the long run if something more complicated was required we could > implement it via early ssl hooks and a plugin. > > Does this accurately sum things up? > > Nikhil / Bret, do you guys think rotating a global ticket file via > records.config works both from a security and operational standpoint? > > Thanks everyone for the great feedback! > Brian > > On Fri, Aug 7, 2015 at 1:10 AM, Bret Palsson <bre...@gmail.com> wrote: > > > On Thu, Aug 6, 2015 at 10:08 AM, James Peach <jpe...@apache.org> wrote: > > > > > > > > > On Aug 6, 2015, at 9:56 AM, Leif Hedstrom <zw...@apache.org> wrote: > > > > > > > > > > > >> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> wrote: > > > >> > > > >> > > > >>> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs < > > > shinr...@network-geographics.com> wrote: > > > >>> > > > >>> I would argue that the specification of the session ticket key in > the > > > ssl_multicert.config file is inappropriate at least as the primary > > > mechanism. It seems that for the common case, you don't need to use > > > different session keys for different domains. You could specify one > key > > > file set in records.config. > > > >> > > > >> Yes, I think this is a promising approach. > > > > > > > > > > > > I like that too. I don’t know how easily this can be done as an > > > overridable configuration, without introducing a lot of additional > > > complexity (remember, the HttpSM needs to generally be available for > you > > to > > > use overridable configs). > > > > > > You can't override this at the HTTP layer since you already had to deal > > > with session tickets when you terminated the TLS session. > > > > > > > If it can’t be overridable, would it make sense to have an API as > well > > > for this? Such that a plugin can set the session keys, which would then > > let > > > you manage the rotation in any way that you seem fit. > > > > > > It would be great to have more flexibility in TLS. As I may have > implied > > > before, I think ssl_multicert.config is stretching the limits of what > it > > > can reasonably express :) > > > > > > > I very much agree with this! > > > > > > > J > > > > > > > > > > -- > > Bret Palsson | https://cobook.co/bretep > > > -- Bret Palsson | https://cobook.co/bretep -- Bret Palsson | https://cobook.co/bretep
