[jira] [Commented] (TS-4263) Session tickets keys in ssl_multicert.config do not work with SNI discovered hosts

Tue, 29 Mar 2016 13:57:07 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-4263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15216820#comment-15216820
 ] 

Leif Hedstrom commented on TS-4263:
-----------------------------------

I'd love to hear some comments from [~shinrich] on this, since she knows this 
code best. One thing that I find very confusing is the lack of ownership of 
objects, and how create SSLCertContext over and over again while looping over 
e.g. SNI names and IPs.

Fwiw, we worked around this problem by adding a rule with dest_ip=*, which is 
not quite what we want, but it was the easiest way to make the session tickets 
to work (at all).

> Session tickets keys in ssl_multicert.config do not work with SNI discovered 
> hosts
> ----------------------------------------------------------------------------------
>
>                 Key: TS-4263
>                 URL: https://issues.apache.org/jira/browse/TS-4263
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, SSL
>            Reporter: Leif Hedstrom
>              Labels: A
>             Fix For: 6.2.0
>
>
> If you have a ssl_multicert.config without dest_ip= rules, i.e. requiring SNI 
> negotiation to get a TLS session, then you can not configure the session 
> ticket keys block, at all. Meaning, there's no way to share the keys across 
> more than one machine.
> I went down a bit of a rathole trying to fix this, but it's somewhat ugly. At 
> the point of resuming a session, the SSL call back provides the 16 byte 
> key-name, but the SNI name is seemingly not available at this point.
> A possible solution is to change the lookups to always be on the 16-byte 
> key-name, and keep a separate lookup table for the key blocks. This is in 
> itself a little ugly, because the ownerships around SSLCertContext is a 
> little murky. But it seems the cleanest, and definitely seemed to have been 
> the intent from OpenSSL's callback signature.
> Another option, which could not be done in the 6.x release cycle, is to 
> remove the ticket_key_name= option from ssl_multicert.config entirely, and 
> only have a single, global key block configured via records.config.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to