[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14071797#comment-14071797 ] ASF GitHub Bot commented on TS-1146: Github user asfgit closed the pull request at: https://github.com/apache/trafficserver/pull/96 RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14065169#comment-14065169 ] ASF subversion and git services commented on TS-1146: - Commit 23406cedff31a3bfeb588fd04b581e7a4e5a578c in trafficserver's branch refs/heads/master from [~SaveTheRbtz] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=23406ce ] TS-1146: consistent formatting for log messages RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14065167#comment-14065167 ] ASF subversion and git services commented on TS-1146: - Commit a65742cd81de5f21ed65d7bc8d7ece2046c5ff6d in trafficserver's branch refs/heads/master from [~SaveTheRbtz] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=a65742c ] TS-1146: added counters to TLS ticket callback RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14065168#comment-14065168 ] ASF subversion and git services commented on TS-1146: - Commit e6e0089b55f041b3b051e8309f14974bb997944e in trafficserver's branch refs/heads/master from [~SaveTheRbtz] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=e6e0089 ] TS-1146: change severity of non-matched key to debug Key rotation is very frequent operation. There is no need to spam log with errors. RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: New Feature Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13848737#comment-13848737 ] Bryan Call commented on TS-1146: Is everything done on this ticket? Can it be closed? RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[
https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13841450#comment-13841450
]
James Peach commented on TS-1146:
-
Hmm, I think we need to call {{SSL_CTX_set_tlsext_ticket_key_cb}} before
{{SSL_CTX_set_ex_data}}, then there could never be a stale pointer on the
{{SSL_CTX}}.
RFC 5077 TLS Session tickets
Key: TS-1146
URL: https://issues.apache.org/jira/browse/TS-1146
Project: Traffic Server
Issue Type: Improvement
Components: SSL
Reporter: James Peach
Assignee: James Peach
Labels: A
Fix For: 5.0.0
Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt,
session_ticket.patch, session_ticket_review.patch
For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the
machines need to have the same server ticket.
See https://github.com/apache/httpd rev
967d943b93498233f0ec81a5b48706fdb6892dfd
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13841505#comment-13841505 ] ASF subversion and git services commented on TS-1146: - Commit 8dbf06bf30f618aac4c1fc5c87afe7aa38569d33 in branch refs/heads/master from [~sunwei] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=8dbf06b ] TS-1146: RFC 5077 TLS session tickets For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. Add ssl_multicert.config support for specifying a common session ticket key. RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 5.0.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13841638#comment-13841638 ] Leif Hedstrom commented on TS-1146: --- Reopened to fix the indentation as per https://cwiki.apache.org/confluence/display/TS/Coding+Style RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13841819#comment-13841819 ] ASF subversion and git services commented on TS-1146: - Commit 0850f4c3a833a76779be65b769fc0e239e6fc93f in branch refs/heads/master from [~jpe...@apache.org] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=0850f4c ] TS-1146: consistently apply 2char indentation RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13841885#comment-13841885 ] ASF subversion and git services commented on TS-1146: - Commit 358e92603dd0527122d3142f0a74a9d7280e595f in branch refs/heads/master from [~jpe...@apache.org] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=358e926 ] TS-1146: additional autoconf tests to support older OpenSSL RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13841925#comment-13841925 ] ASF subversion and git services commented on TS-1146: - Commit a10b8090fcb1dc8fa745df9b12d15596ec76cc4d in branch refs/heads/master from [~jpe...@apache.org] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=a10b809 ] TS-1146: fix the CentOS5 build RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 4.2.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13839958#comment-13839958 ] Wei Sun commented on TS-1146: - Per my understanding, some legacy systems already have dedicated session cache cluster for session resumption, when they upgrade to the latest openssl, session ticket is supported by default, 'sess_ticket_enabled' option provides a flexibility for them to disable session ticket and continue using their session cache service. If application doesn't explicitly specify this option, the behavior is backward compatible. I updated the patch in the attachment, changes include: 'sess_key_filename' - 'ticket_key_name'; release the context associated data when ctx's reference is 0; add a little bit of parameter description in ssl_multicert.config.en.rst. Please help review. RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 5.0.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13841057#comment-13841057 ] Wei Sun commented on TS-1146: - Looks good to me. Thanks. Only one comment as below: fail: delete ticket_key; ticket_key = NULL; // SSLReleaseContext() always delete ticket_key when releasing ctx. RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Labels: A Fix For: 5.0.0 Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt, session_ticket.patch, session_ticket_review.patch For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[
https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13839466#comment-13839466
]
James Peach commented on TS-1146:
-
OK, I looked more at what http does with session tickets. I agree that is makes
sense to keep the session ticket key in a separate file.
I don't think that the {{sess_ticket_enabled}} parameter is necessary. The
presence or absence of a ticket key should be enough to determine whether to
use session tickets. I thought about whether we should always enable session
tickets with random data and decided against it since the behavior you have
here matches httpd.
I think that {{ticket_key_name}} might be a better name for the parameter than
{{sess_key_filename}} since it it slightly more consistent with the existing
parameter names.
I see that you attach the ticket key to the SSL context, but I'm not clear on
how this data is released. Can you point that out to me?
Finally, if you could make a start at documenting this in
{{doc/reference/configuration/ssl_multicert.config.en.rst}}, that would be very
helpful. I'd be happy to help polish any text you can contribute.
RFC 5077 TLS Session tickets
Key: TS-1146
URL: https://issues.apache.org/jira/browse/TS-1146
Project: Traffic Server
Issue Type: Improvement
Components: SSL
Reporter: James Peach
Assignee: James Peach
Labels: A
Fix For: 5.0.0
Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt,
session_ticket.patch
For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the
machines need to have the same server ticket.
See https://github.com/apache/httpd rev
967d943b93498233f0ec81a5b48706fdb6892dfd
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[
https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13837197#comment-13837197
]
James Peach commented on TS-1146:
-
Nice work [~sunwei]!
A few comments:
- patch does not apply to master due to changes in
{{iocore/net/SSLUtils.cc}}
- there's a bit of unnecessary whitespace added ({{git diff}} should show
you where it is)
- I don't see the need for
{{proxy.config.ssl.server.sessionticket.enabled}} since this needs to be
enabled by the administrator in {{ssl_multicert.config}}
- as currently constructed this patch does not require
{{ssl_callback_session_ticket}} to be global, so it should be static
- is the {{ssl_ticket_key_t}} file format a standard format? Are the values
secret? Does it make sense to inline them into {{ssl_multicert.config}}
I'll probably have some more comments once the patch applies to master.
I'd also like to see some documentation around this of course :)
Do you have any ideas about how we could do automated regression tests for this?
RFC 5077 TLS Session tickets
Key: TS-1146
URL: https://issues.apache.org/jira/browse/TS-1146
Project: Traffic Server
Issue Type: Improvement
Components: SSL
Reporter: James Peach
Assignee: James Peach
Labels: A
Fix For: 5.0.0
Attachments: SSL_CTX_set_tlsext_ticket_key_cb.txt,
session_ticket.patch
For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the
machines need to have the same server ticket.
See https://github.com/apache/httpd rev
967d943b93498233f0ec81a5b48706fdb6892dfd
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13458415#comment-13458415 ] James Peach commented on TS-1146: - also http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach Assignee: James Peach Fix For: 3.3.1 For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13232150#comment-13232150 ] Leif Hedstrom commented on TS-1146: --- https://github.com/apache/httpd/commit/967d943b93498233f0ec81a5b48706fdb6892dfd RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1146) RFC 5077 TLS Session tickets
[ https://issues.apache.org/jira/browse/TS-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13232154#comment-13232154 ] James Peach commented on TS-1146: - Also: https://github.com/apache/httpd/commit/414911a5da0910b23aa00872874cf64b6b8a7b6b RFC 5077 TLS Session tickets Key: TS-1146 URL: https://issues.apache.org/jira/browse/TS-1146 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: James Peach For supporting RFC 5077 TLS Session tickets across a ATS cluster, all the machines need to have the same server ticket. See https://github.com/apache/httpd rev 967d943b93498233f0ec81a5b48706fdb6892dfd -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
