[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets

Wed, 04 Dec 2013 01:32:00 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13838766#comment-13838766
 ] 

Wei Sun commented on TS-1146:
-----------------------------

Thanks for your feedback, I made a little bit of change, please take a look at 
the updated patch. 
I've no idea about a standard format, some are using xml, others use plain text 
files. Yes, it stores secret. I added a few comments around the code, a brief 
description can be found from cwiki (Projects/SSL/SSLSessionTicket). Storing 
secrete in file is not secure for some situations, but at least the permission 
is under control, from this point of view, I think it might be better than 
inlining them into ssl_multicert.config, your thought?

The tools I used are 
https://github.com/vincentbernat/rfc5077/blob/master/rfc5077-client.c, ssldump, 
etc. Below are some (minimal) steps I used to verify in my test env:
1). Disable keep_alive_enabled_in;
2). Enabled session ticket, use rfc5077-client or ssldump to observe the 
result, restarting ats should also reuse the ticket;
3). Change one byte of keyname or encrypting key or signing secrete, ats will 
create a new ticket;
4). Disable session ticket, session won't be reused any more, each request will 
trigger a full handshake.
I think openssl enables session ticket by default, the difference is restarting 
ats or crossing multiple servers, the session cannot be retrieved. 

> RFC 5077 TLS Session tickets
> ----------------------------
>
>                 Key: TS-1146
>                 URL: https://issues.apache.org/jira/browse/TS-1146
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: James Peach
>            Assignee: James Peach
>              Labels: A
>             Fix For: 5.0.0
>
>         Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, 
> session_ticket.patch
>
>
> For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the 
> machines need to have the same server ticket.
> See https://github.com/apache/httpd rev 
> 967d943b93498233f0ec81a5b48706fdb6892dfd



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to