You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/08/26 18:22:23 UTC
[jira] [Work logged] (TS-4263) Session tickets keys in
ssl_multicert.config do not work with SNI discovered hosts
[ https://issues.apache.org/jira/browse/TS-4263?focusedWorklogId=27254&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-27254 ]
ASF GitHub Bot logged work on TS-4263:
--------------------------------------
Author: ASF GitHub Bot
Created on: 26/Aug/16 18:21
Start Date: 26/Aug/16 18:21
Worklog Time Spent: 10m
Work Description: GitHub user persiaAziz opened a pull request:
https://github.com/apache/trafficserver/pull/932
TS-4263: Global key block configurable via Records.config
Global key block configurable via Records.config
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/persiaAziz/trafficserver TS-4263
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/932.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #932
----
commit 37191468a2d49c489919a883580cbace16ea61ec
Author: Persia Aziz <pe...@yahoo-inc.com>
Date: 2016-08-26T18:15:12Z
TS-4263: Global key block configurable via Records.config
----
Issue Time Tracking
-------------------
Worklog Id: (was: 27254)
Time Spent: 10m
Remaining Estimate: 0h
> Session tickets keys in ssl_multicert.config do not work with SNI discovered hosts
> ----------------------------------------------------------------------------------
>
> Key: TS-4263
> URL: https://issues.apache.org/jira/browse/TS-4263
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, SSL
> Reporter: Leif Hedstrom
> Assignee: Syeda Persia Aziz
> Labels: A
> Fix For: 7.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> If you have a ssl_multicert.config without dest_ip= rules, i.e. requiring SNI negotiation to get a TLS session, then you can not configure the session ticket keys block, at all. Meaning, there's no way to share the keys across more than one machine.
> I went down a bit of a rathole trying to fix this, but it's somewhat ugly. At the point of resuming a session, the SSL call back provides the 16 byte key-name, but the SNI name is seemingly not available at this point.
> A possible solution is to change the lookups to always be on the 16-byte key-name, and keep a separate lookup table for the key blocks. This is in itself a little ugly, because the ownerships around SSLCertContext is a little murky. But it seems the cleanest, and definitely seemed to have been the intent from OpenSSL's callback signature.
> Another option, which could not be done in the 6.x release cycle, is to remove the ticket_key_name= option from ssl_multicert.config entirely, and only have a single, global key block configured via records.config.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)