You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by GitBox <gi...@apache.org> on 2022/03/16 16:41:36 UTC

[GitHub] [trafficserver] duke8253 opened a new issue #8734: STEK not correctly decrypting sessions

duke8253 opened a new issue #8734:
URL: https://github.com/apache/trafficserver/issues/8734


   When developing a new plugin for sharing STEK (Session Ticket Encryption Key) on a colo, I discovered that some of the boxes on the colo I was testing cannot be synced up. Upon further investigation, the problem exists even with manually setting a key file (https://docs.trafficserver.apache.org/admin-guide/files/records.config.en.html#proxy-config-ssl-server-ticket-key-filename), and uploading it to all the servers. This issue is also present with Apple, and @masaori335 was doing testing on their side. However, this issue disappeared over the past weekend for no apparent reason. 
   
   Below is the description of the problem, please add comments if I missed anything @bneradt @bryancall @masaori335:
   - When STEK is shared among servers, the normal behavior is these servers can reuse TLS sessions from each other, e.g. server X can resume sessions created on server Y, X and Y being any of the servers in that colo.
   - The problem we're seeing now is, even though STEK is being shared correctly among all servers in the same colo, sometimes there will be a small group of servers that cannot resume session created on others.
   - The group of servers that cannot resume session from other servers, can share session within the group (always the case), essentially splitting the colo into two groups of servers that can resume session within their own group, but not across.
   - Of the two groups formed, the larger group usually contains 75% or more servers of that colo.
   - It's always two groups of servers if this problem is present.
   - It's always the same servers in the same group on the same colo, but it can be different servers on different colos, and the servers persists after ATS restart. E.g. on colo 1, it's always the servers A, C, F, M that forms a group; while on colo 2,  it's always the servers B, F, S that forms a group.
   - All related OpenSSL API calls for session encrypt/decrypt return success with the same values across all servers,  `HMAC_Init_ex`, `EVP_EncryptInit_ex`, `EVP_DecryptInit_ex`, `RAND_bytes`.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficserver.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org