So as I read this thread we have a couple points: - Global key instead of per-ssl_multicert line - Fix issue with traffic_line -x not being transactional
The one point that seems to have been dropped is how the keys themselves get rotated. I personally don't particuarly like the idea of having an external process rotating a file and then calling traffic_line -x to rotate the keys. I'd actually like it if ATS (core or plugin) could do the rotation on its own-- and I'd like to make that the default. Today the default for tickets creates one in memory, and then uses it until trafficserver is restarted-- which is potentially bad for PFC (since uptime should be high). IMO it makes sense to put a feature like this in the core (since Tickets are a core feature), but I can understand how if you wanted to do something more complicated (shared keys, etc.) that would make more sense in plugin-space. Maybe we can have some way of shipping a basic implementation (in either the core or a simple plugin) which is enabled by default (if tickets are enabled). Thoughts? On Thu, Aug 20, 2015 at 11:27 AM, Bret Palsson <bre...@gmail.com> wrote: > I sent a response on Aug 12. Here was what I sent. Are my messages being > moderated? I'm not seeing the email in the archives. > > https://mail-archives.apache.org/mod_mbox/trafficserver-dev/201508.mbox/browser > > ---------- Forwarded message ---------- > From: Bret Palsson <bre...@gmail.com> > Date: Wed, Aug 12, 2015 at 8:57 AM > Subject: Re: TLS Session Ticket: Key Rotation > To: dev@trafficserver.apache.org > > > Brian: > > Thanks for summarizing this thread! > > That would work operationally. I think there still there needs to be a safe > way to force a rotation without having to restart traffic_server and > reloading all the configs via traffic_line -x. > > -Bret > > > > On Tue, Aug 11, 2015 at 10:54 PM, Brian Geffon <briangef...@gmail.com> > wrote: > > > I'd like to close the loop on this discussion. In general I believe there > > is a consensus that perhaps ssl_multicert is not the place to deal with > > ticket rotation and that if you're willing to have global session tickets > > (meaning not tied to a specific domain) then the implementation that > would > > accomplish this would be trivial compared to the current approach where > > rotation would happen with traffic_line -x on a per domain basis coming > > from ssl_multicert. Which I strongly agree with if this is something that > > most people believe would remain secure and is acceptable...? > Additionally, > > in the long run if something more complicated was required we could > > implement it via early ssl hooks and a plugin. > > > > Does this accurately sum things up? > > > > Nikhil / Bret, do you guys think rotating a global ticket file via > > records.config works both from a security and operational standpoint? > > > > Thanks everyone for the great feedback! > > Brian > > > > On Fri, Aug 7, 2015 at 1:10 AM, Bret Palsson <bre...@gmail.com> wrote: > > > > > On Thu, Aug 6, 2015 at 10:08 AM, James Peach <jpe...@apache.org> > wrote: > > > > > > > > > > > > On Aug 6, 2015, at 9:56 AM, Leif Hedstrom <zw...@apache.org> > wrote: > > > > > > > > > > > > > > >> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> > wrote: > > > > >> > > > > >> > > > > >>> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs < > > > > shinr...@network-geographics.com> wrote: > > > > >>> > > > > >>> I would argue that the specification of the session ticket key in > > the > > > > ssl_multicert.config file is inappropriate at least as the primary > > > > mechanism. It seems that for the common case, you don't need to use > > > > different session keys for different domains. You could specify one > > key > > > > file set in records.config. > > > > >> > > > > >> Yes, I think this is a promising approach. > > > > > > > > > > > > > > > I like that too. I don’t know how easily this can be done as an > > > > overridable configuration, without introducing a lot of additional > > > > complexity (remember, the HttpSM needs to generally be available for > > you > > > to > > > > use overridable configs). > > > > > > > > You can't override this at the HTTP layer since you already had to > deal > > > > with session tickets when you terminated the TLS session. > > > > > > > > > If it can’t be overridable, would it make sense to have an API as > > well > > > > for this? Such that a plugin can set the session keys, which would > then > > > let > > > > you manage the rotation in any way that you seem fit. > > > > > > > > It would be great to have more flexibility in TLS. As I may have > > implied > > > > before, I think ssl_multicert.config is stretching the limits of what > > it > > > > can reasonably express :) > > > > > > > > > > I very much agree with this! > > > > > > > > > > J > > > > > > > > > > > > > > > -- > > > Bret Palsson | https://cobook.co/bretep > > > > > > > > > -- > Bret Palsson | https://cobook.co/bretep > > > > -- > Bret Palsson | https://cobook.co/bretep >
