On Fri, Sep 30, 2011 at 12:38 AM, Rainer Jung <rainer.j...@kippdata.de> wrote: > Hi Paul, > > On 30.09.2011 08:08, Paul Querna wrote: >> Hiya, >> >> Attached is a patch >> <http://people.apache.org/~pquerna/tls_session_ticket_support.patch> >> to add support for setting SSL_CTX_set_tlsext_ticket_keys. > > Unfortunately I don't have answers to your questions, but I'm a bit > curious about the patch. As far as I understand we already support RFC > 5077 (even with 2.2.x). So am I right, that the patch is about improving > key handling? > > The Changelog for OpenSSL 0.9.8f says: > > *) Add RFC4507 support to OpenSSL. This includes the corrections in > RFC4507bis. The encrypted ticket format is an encrypted encoded > SSL_SESSION structure, that way new session features are automatically > supported. > > ... > > The SSL_CTX structure automatically generates keys for ticket > protection in servers so again support should be possible > with no application modification. > > So do we actually need to worry about the keys?
If you don't set anything, OpenSSL randomly generates a key per-SSL_CTX. This is useful in a single server environment, as it generally "just works", and should be less load than using the normal ssl session cache. The reason you would want to set the keys is so that you can have multiple Apache instances terminating SSL. If they all use the same certificate and ticket key, then you can essentially share SSL Sessions between nodes without using a cache like memcached, by relying upon the client to share state with the other SSL terminator. > Then for 0.9.8g there is the following change: > > *) Add TLS session ticket callback. This allows an application to set > TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed > values. This is useful for key rollover for example where several key > sets may exist with different names. This actually more fully exposes the feature. Built into RFC 5077 is the ability to have multiple key names. So, you could have multiple private AES keys active at once, all with different names. The patch as written does not support this use case. I thought about making a apr_table_t for this purpose, but it looked far more complicated. The callback is given an HMAC and EVP Digest objects and is responsible for initializing them based on the server key. I'm open to doing it if people are interested in this feature, but for a v0 it seemed like supporting setting the keys at all was a good start, over building a fairly complicated callback/table of keys. > There was some discussion about improving session ticket support in 2009: > > http://www.mail-archive.com/dev@httpd.apache.org/msg46095.html > > The thread contains some interesting remark by Stephen concerning the > keys. The proposed code IMHO was never applied (nor was there consensus). > > Finally there is a Bugzilla about session tickets not respecting the > defined session timeout: > > https://issues.apache.org/bugzilla/show_bug.cgi?id=50869 > AFAIK there is no way of 'fixing' this without digging into the internals of OpenSSL, they don't expose an API for controlling the timeout settings for the Session tickets. You can set SSL_CTX_set_timeout, which effects both session tickets normal sessions.
