Reply inline On Tue, Aug 25, 2015 at 2:58 PM, James Peach <jpe...@apache.org> wrote:
> > > On Aug 25, 2015, at 2:13 PM, Thomas Jackson <jackso...@apache.org> > wrote: > > > > So as I read this thread we have a couple points: > > > > - Global key instead of per-ssl_multicert line > > - Fix issue with traffic_line -x not being transactional > > > > The one point that seems to have been dropped is how the keys themselves > > get rotated. I personally don't particuarly like the idea of having an > > external process rotating a file and then calling traffic_line -x to > rotate > > the keys. > > If you have more than one server on the same VIP, then you have to > co-ordinate session ticket keys, in which case having to run "traffic_ctl > config reload" seems quite reasonable to me. > This actually depends. For very small setups (single hosts) this is a non-issue (as you implied). For some installs (such as ours) traffic is consistently hashed to reals-- so sharing isn't required. This is I think where Leif's thought of doing this in plugin space starts to make sense-- because everyone has different requirements on how the keys are rotated. > > > I'd actually like it if ATS (core or plugin) could do the > > rotation on its own-- and I'd like to make that the default. Today the > > default for tickets creates one in memory, and then uses it until > > trafficserver is restarted-- which is potentially bad for PFC (since > uptime > > should be high). > > Yeh I can see there is a case to do better in the default configuration. > However, we need to balance that against the additional complexity. > Agree that we have to balance it, but in addition to complexity we should probably consider security with the favor being more secure instead of less secure. IIRC keys are enabled by default-- but we don't rotate the keys (which is not good). So, I'd be equally fine with tickets being disabled by default, tickets without rotation isn't really safe :/ > > > IMO it makes sense to put a feature like this in the core > > (since Tickets are a core feature), but I can understand how if you > wanted > > to do something more complicated (shared keys, etc.) that would make more > > sense in plugin-space. Maybe we can have some way of shipping a basic > > implementation (in either the core or a simple plugin) which is enabled > by > > default (if tickets are enabled). Thoughts? > > Here's a straw person proposal: > > traffic_ctl ssl rotate-ticket-key [OPTIONAL-48-BYTES] > > This is a trivial line to add to crontab and could be used with shared > ticket keys and implicit (default) ticket keys. > This could work, from the command you posted it seems that we would have configured ATS with the number of keys and it will do the rotation on its own, just adding those bytes as the newest key-- right? > > On Thu, Aug 20, 2015 at 11:27 AM, Bret Palsson <bre...@gmail.com> wrote: > > > >> I sent a response on Aug 12. Here was what I sent. Are my messages being > >> moderated? I'm not seeing the email in the archives. > >> > >> > https://mail-archives.apache.org/mod_mbox/trafficserver-dev/201508.mbox/browser > >> > >> ---------- Forwarded message ---------- > >> From: Bret Palsson <bre...@gmail.com> > >> Date: Wed, Aug 12, 2015 at 8:57 AM > >> Subject: Re: TLS Session Ticket: Key Rotation > >> To: dev@trafficserver.apache.org > >> > >> > >> Brian: > >> > >> Thanks for summarizing this thread! > >> > >> That would work operationally. I think there still there needs to be a > safe > >> way to force a rotation without having to restart traffic_server and > >> reloading all the configs via traffic_line -x. > >> > >> -Bret > >> > >> > >> > >> On Tue, Aug 11, 2015 at 10:54 PM, Brian Geffon <briangef...@gmail.com> > >> wrote: > >> > >>> I'd like to close the loop on this discussion. In general I believe > there > >>> is a consensus that perhaps ssl_multicert is not the place to deal with > >>> ticket rotation and that if you're willing to have global session > tickets > >>> (meaning not tied to a specific domain) then the implementation that > >> would > >>> accomplish this would be trivial compared to the current approach where > >>> rotation would happen with traffic_line -x on a per domain basis coming > >>> from ssl_multicert. Which I strongly agree with if this is something > that > >>> most people believe would remain secure and is acceptable...? > >> Additionally, > >>> in the long run if something more complicated was required we could > >>> implement it via early ssl hooks and a plugin. > >>> > >>> Does this accurately sum things up? > >>> > >>> Nikhil / Bret, do you guys think rotating a global ticket file via > >>> records.config works both from a security and operational standpoint? > >>> > >>> Thanks everyone for the great feedback! > >>> Brian > >>> > >>> On Fri, Aug 7, 2015 at 1:10 AM, Bret Palsson <bre...@gmail.com> wrote: > >>> > >>>> On Thu, Aug 6, 2015 at 10:08 AM, James Peach <jpe...@apache.org> > >> wrote: > >>>> > >>>>> > >>>>>> On Aug 6, 2015, at 9:56 AM, Leif Hedstrom <zw...@apache.org> > >> wrote: > >>>>>> > >>>>>> > >>>>>>> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> > >> wrote: > >>>>>>> > >>>>>>> > >>>>>>>> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs < > >>>>> shinr...@network-geographics.com> wrote: > >>>>>>>> > >>>>>>>> I would argue that the specification of the session ticket key in > >>> the > >>>>> ssl_multicert.config file is inappropriate at least as the primary > >>>>> mechanism. It seems that for the common case, you don't need to use > >>>>> different session keys for different domains. You could specify one > >>> key > >>>>> file set in records.config. > >>>>>>> > >>>>>>> Yes, I think this is a promising approach. > >>>>>> > >>>>>> > >>>>>> I like that too. I don’t know how easily this can be done as an > >>>>> overridable configuration, without introducing a lot of additional > >>>>> complexity (remember, the HttpSM needs to generally be available for > >>> you > >>>> to > >>>>> use overridable configs). > >>>>> > >>>>> You can't override this at the HTTP layer since you already had to > >> deal > >>>>> with session tickets when you terminated the TLS session. > >>>>> > >>>>>> If it can’t be overridable, would it make sense to have an API as > >>> well > >>>>> for this? Such that a plugin can set the session keys, which would > >> then > >>>> let > >>>>> you manage the rotation in any way that you seem fit. > >>>>> > >>>>> It would be great to have more flexibility in TLS. As I may have > >>> implied > >>>>> before, I think ssl_multicert.config is stretching the limits of what > >>> it > >>>>> can reasonably express :) > >>>>> > >>>> > >>>> I very much agree with this! > >>>> > >>>> > >>>>> J > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Bret Palsson | https://cobook.co/bretep > >>>> > >>> > >> > >> > >> > >> -- > >> Bret Palsson | https://cobook.co/bretep > >> > >> > >> > >> -- > >> Bret Palsson | https://cobook.co/bretep > >> > >
