Hi all, > On Fri, Feb 27, 2015 at 07:56:48PM +0100, Nenad Merdanovic wrote: >> This patchset adds support to configure TLS ticket keys used for >> encryption and decryption of TLS tickets. >> >> This is the 2nd version of the patchset that has been updated based on >> suggestions from Willy TaRreau, Emeric Brun, Lukas Tribus and Remi Gacogne.
This is a great addition. I do have one question however. Are there also plans to allow for rotating these tickets through the admin socket interface? In order to get a system that’s actually properly forward secure, it’s needed to rotate the session tickets from time to time so that forward secrecy is actually preserved. Twitter actually posted a nice article about how they achieved this: https://blog.twitter.com/2013/forward-secrecy-at-twitter. In general the approach would be something like the following: - Generate a new ticket every twelve hours. This then gets updated through the admin socket. - Keep the last X older tickets so connections coming from clients with an older ticket also can still be decrypted. This can be for example the last 3, so it’s possible to decrypt over the last 36 hours. - All tickets get encrypted with the new key, even the ones that came in with an older ticket. One thing here that is tricky though is the actual rotation of the tickets. I think this should be separate from the installation to prevent race conditions. So ideally something like the following: - Generate a new ticket and install it on all the load balancers - After this step rotate the tickets on the load balancers. This allows for transparant handling of it. If installation and rotation happen in one step, it means that server that isn’t rotated yet might get the new connection with a new ticket not installed on that second load balancer. This means the session reuse doesn’t work properly for this new session ticket until it’s installed everywhere. Installing it first everywhere prevents the problem since until the ticket is rotated, the new ticket isn’t used yet for connections. This means it can be used for decryption but not yet for encryption. This would then only start to happen when it’s actually rotated. Hope this all makes sense. If this is something already planned / discussed apology for the noise! Cheers, Dirkjan Bussink
