Github user zwoop commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/942#discussion_r76879380
--- Diff: iocore/net/SSLUtils.cc ---
@@ -2018,11 +2047,17 @@ SSLParseCertificateConfiguration(const
SSLConfigParams *params, SSLCertLookup *l
char *tok_state = NULL;
char *line = NULL;
ats_scoped_str file_buf;
+ ats_scoped_str ticket_key_filename;
unsigned line_num = 0;
matcher_line line_info;
const matcher_tags sslCertTags = {NULL, NULL, NULL, NULL, NULL, NULL,
false};
+ // load the global ticket key for later use
+ REC_ReadConfigStringAlloc(ticket_key_filename,
"proxy.config.ssl.server.ticket_key.filename");
+ ats_scoped_str
ticket_key_path(Layout::relative_to(params->serverCertPathOnly,
ticket_key_filename));
+ global_default_keyblock = ssl_create_ticket_keyblock(ticket_key_path);
// this function just returns a keyblock
--- End diff --
Question: What happens if the ticket file is empty? You create an empty key
block, and then try to look up in that and fail (hopefully) gracefully?
That does seem reasonable, but I wonder if the logic should be to do the
old default, and look for the dest_ip=*'s keychain at that point? At a minimum,
we'd want to document in the release notes that going forward with 7.0.0,
someone (like us) using the dest_ip=* as a default now must move that to the
global configuration.
Alternatively, maybe we should have a warning that if someone has enabled
session tickets, but not providing a key block for either all lines in
ssl_multicert.config *or* at least one global one in tickets.config? That seems
a little complicated to deal with though, so maybe that's a future RFE.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
