You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by me...@apache.org on 2020/11/09 14:44:37 UTC
[apisix] branch master updated: fix: disable ssl_session_tickets by
default (#2641)
This is an automated email from the ASF dual-hosted git repository.
membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 0ff2ab8 fix: disable ssl_session_tickets by default (#2641)
0ff2ab8 is described below
commit 0ff2ab824264c1e55fafa489143e4cd68d7cc7bf
Author: Yousa <sn...@gmail.com>
AuthorDate: Mon Nov 9 22:44:26 2020 +0800
fix: disable ssl_session_tickets by default (#2641)
fix #2638
In a word, 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
reference:
ingress-nginx:kubernetes/ingress-nginx#6196
mozilla:mozilla/server-side-tls#135
---
.travis/apisix_cli_test.sh | 22 ++++++++++++++++++++++
apisix/cli/ngx_tpl.lua | 10 ++++++++++
conf/config-default.yaml | 2 ++
3 files changed, 34 insertions(+)
diff --git a/.travis/apisix_cli_test.sh b/.travis/apisix_cli_test.sh
index 5f88ecd..101bd54 100755
--- a/.travis/apisix_cli_test.sh
+++ b/.travis/apisix_cli_test.sh
@@ -442,6 +442,28 @@ fi
echo "passed: using env to set worker processes"
+# set worker processes with env
+git checkout conf/config.yaml
+
+make init
+
+count=`grep -c "ssl_session_tickets off;" conf/nginx.conf || true `
+if [ $count -eq 0 ]; then
+ echo "failed: ssl_session_tickets is off when ssl.ssl_session_tickets is false."
+ exit 1
+fi
+
+sed -i 's/ssl_session_tickets: false/ssl_session_tickets: true/' conf/config-default.yaml
+make init
+
+count=`grep -c "ssl_session_tickets on;" conf/nginx.conf || true `
+if [ $count -eq 0 ]; then
+ echo "failed: ssl_session_tickets is on when ssl.ssl_session_tickets is true."
+ exit 1
+fi
+
+echo "passed: disable ssl_session_tickets by default"
+
# access log with JSON format
echo '
diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index 38079b2..d66b84e 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -250,6 +250,11 @@ http {
ssl_protocols {* ssl.ssl_protocols *};
ssl_ciphers {* ssl.ssl_ciphers *};
ssl_prefer_server_ciphers on;
+ {% if ssl.ssl_session_tickets then %}
+ ssl_session_tickets on;
+ {% else %}
+ ssl_session_tickets off;
+ {% end %}
{% else %}
listen {* port_admin *};
@@ -330,6 +335,11 @@ http {
ssl_protocols {* ssl.ssl_protocols *};
ssl_ciphers {* ssl.ssl_ciphers *};
ssl_prefer_server_ciphers on;
+ {% if ssl.ssl_session_tickets then %}
+ ssl_session_tickets on;
+ {% else %}
+ ssl_session_tickets off;
+ {% end %}
{% if with_module_status then %}
location = /apisix/nginx_status {
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index ac5950d..b5e58a6 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -109,6 +109,8 @@ apisix:
# with external services (e.g. etcd)
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+ ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
+ # ref: https://github.com/mozilla/server-side-tls/issues/135
key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.
# If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!