You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2022/10/25 20:42:45 UTC
[GitHub] [trafficcontrol] TaylorCFrey opened a new issue, #7158: Traffic Vault: Reencrypt utility wipes different SSL Keys during update
TaylorCFrey opened a new issue, #7158:
URL: https://github.com/apache/trafficcontrol/issues/7158
<!--
************ STOP!! ************
If this issue identifies a security vulnerability, DO NOT submit it! Instead, contact
the Apache Traffic Control Security Team at security@trafficcontrol.apache.org and follow the
guidelines at https://apache.org/security regarding vulnerability disclosure.
- For *SUPPORT QUESTIONS*, use the #traffic-control channel on the ASF slack (https://s.apache.org/tc-slack-request)
or the Traffic Control Users mailing list (send an email to users-subscribe@trafficcontrol.apache.org to subscribe).
- Before submitting, please **SEARCH GITHUB** for a similar issue or PR
* https://github.com/apache/trafficcontrol/issues
* https://github.com/apache/trafficcontrol/pulls
-->
<!-- Do not submit security vulnerabilities or support requests here - see above -->
## This Bug Report affects these Traffic Control components:
<!-- delete all those that don't apply -->
- Traffic Vault
## Current behavior:
<!-- Describe how the bug happens -->
When running the `reencrypt` utility located at `trafficcontrol/traffic_ops/app/db/reencrypt/reencrypt.go` for SSL Keys (misnomer) all versions of the SSL Keys entries are replaced by a single entry multiple times. As an example, if a delivery service has multiple "versions" of SSL Key data information, all of them are reencrypted into a single data blob for every version.
Before running `reencrypt`:
DeliveryServiceXMLId | Version | Data
---|---|---
sampleDS1 | latest | \xa0f3d800...
sampleDS1 | 2 | \x93c7b213...
sampleDS1 | 1 | \x7418e801...
sampleDS2 | latest | \x48b1c9ff...
sampleDS2 | 3 | \x88b7a3dd...
sampleDS2 | 2 | \x1967c3b9...
sampleDS2 | 1 | \x19f3a2bb...
After running `reencrypt` (notice the data columns have the same value for each DS, regardless of the version):
DeliveryServiceXMLId | Version | Data
---|---|---
sampleDS1 | latest | \xc4f1a823...
sampleDS1 | 2 | \xc4f1a823...
sampleDS1 | 1 | \xc4f1a823...
sampleDS2 | latest | \xaa45b8f1...
sampleDS2 | 3 | \xaa45b8f1...
sampleDS2 | 2 | \xaa45b8f1...
sampleDS2 | 1 | \xaa45b8f1...
## Expected behavior:
<!-- Describe what the behavior would be without the bug -->
Each row should be uniquely decrypted and reencrypted resulting in a different correctly encrypted _data_ for each delivery service ssl key version.
## Steps to reproduce:
<!-- If the current behavior is a bug, please provide the *STEPS TO REPRODUCE* and
include the applicable TC version.
-->
Execute the `reencrypt` utility on a Traffic Vault dump with a delivery service that has 3 or more entries (2 or more versions plus 'latest') for SSL Keys.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 closed issue #7158: Traffic Vault: Reencrypt utility wipes different SSL Keys during update
Posted by GitBox <gi...@apache.org>.
ocket8888 closed issue #7158: Traffic Vault: Reencrypt utility wipes different SSL Keys during update
URL: https://github.com/apache/trafficcontrol/issues/7158
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org