Repository: trafficserver Updated Branches: refs/heads/master 4089b3952 -> 86bda3532
TS-3309: document TLS session ticket rotation Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/86bda353 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/86bda353 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/86bda353 Branch: refs/heads/master Commit: 86bda3532dc72389f9e88d58af07309cf0d92411 Parents: 4089b39 Author: Bin Zeng <[email protected]> Authored: Wed Jan 21 09:16:27 2015 -0800 Committer: James Peach <[email protected]> Committed: Wed Jan 21 09:17:34 2015 -0800 ---------------------------------------------------------------------- CHANGES | 3 +++ doc/admin/security-options.en.rst | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/86bda353/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index a074681..70c038b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.3.0 + *) [TS-3309] Document TLS session ticket rotation. + Author: Bin Zeng <[email protected]> + *) [TS-3307] TSVConnFdCreate does not allow non-socket file descriptors. *) [TS-2421] MultiCache could theoretically create world-writeable http://git-wip-us.apache.org/repos/asf/trafficserver/blob/86bda353/doc/admin/security-options.en.rst ---------------------------------------------------------------------- diff --git a/doc/admin/security-options.en.rst b/doc/admin/security-options.en.rst index 9fc612a..a2afccb 100644 --- a/doc/admin/security-options.en.rst +++ b/doc/admin/security-options.en.rst @@ -25,7 +25,7 @@ Security Options Controlling Client Access to the Proxy Cache ============================================ -Traffic Server can be confgiured to allow only certain clients to use +Traffic Server can be configured to allow only certain clients to use the proxy cache. #. Add a line to :file:`ip_allow.config` for each IP address or @@ -260,3 +260,18 @@ and origin server connections, you must do the following: local node or :option:`traffic_line -M` to restart Traffic Server on all the nodes in a cluster. +Rotating TLS Session Ticket Keys +============================================ + +TLS sessions can be resumed through session tickets which are encrypted with +a session ticket key and stored on clients. For better security, the ticket keys +can be rotated periodically, say, every 24 hours. The ticket keys are stored in +a ticket key file as a reverse queue in 48-byte chunks. + +#. Generate a new ticket key and push it to the beginning of the ticket key file. + +#. *Optional*: Delete the last ticket key from the ticket key file. + +#. Touch :file:`ssl_multicert.config` to indicate that the SSL configuration is stale. + +#. Run the command :option:`traffic_line -x` to apply the new ticket key.
