Re: TLS Tickets and CPU usage

Fri, 25 Mar 2016 03:35:45 -0700 

Hey Olivier,

Can you try the attached patch? I need to run some more tests, but I
think this should fix it.

Regards,
Nenad

On 3/24/2016 10:05 PM, Olivier Doucet wrote:
> Hi again,
> 
> 
> 2016-03-24 21:15 GMT+01:00 Lukas Tribus <luky...@hotmail.com
> <mailto:luky...@hotmail.com>>:
> 
>     Hi Nenad,
> 
> 
>     >> Well, its not supposed to look like this, there is clearly something
>     >> wrong. Master key fluctuates between the requests with TLS tickets
>     >> and the reuse collumn shows failure.
>     >
>     > Looks like a haproxy bug, I think I can reproduce it.
>     >
>     > Can you try with EXACTLY 3 keys in /tmp/tls_ticket_keys?
> 
> 
> Tried and now behaviour is like expected !
> https://gist.github.com/anonymous/779fbc4f1cf8b23e9b1f
> 
> And, I can confirm that now, CPU is not doubled \o/
> 
> 
> 
>  
> 
>     there seems to be a bug in the handling of the tls-ticket-keys file.
> 
>     When there are 5 or more ticket keys in the file, clients using TLS
>     tickets
>     can no longer resume the TLS session (and fallback to full negotiation):
> 
>     https://gist.github.com/anonymous/6ec7c863f497cfd849a4
> 
> 
>     Workaround would be to remove the oldest key from the file, so
>     that the number of keys in the file remains below 5.
> 
> That's what I did : keep last 2 keys and add a new one.
> 
>  Olivier

From 074792e61070c8fae16cd0b2fae4dfb6e6eeff7a Mon Sep 17 00:00:00 2001
From: Nenad Merdanovic <nmer...@anine.io>
Date: Fri, 25 Mar 2016 11:14:43 +0100
Subject: [PATCH] BUG/MEDIUM: Fix RFC5077 resumption when more than
 TLS_TICKETS_NO are present

Olivier Doucet reported the issue on the ML and tested that when using
more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher
than expected.

Lukas Tribus then provided a test case which showed that resumption doesn't
work at all in that case.

This fix needs to be backported to 1.6.

Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
 src/ssl_sock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1017388..767d6e9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5406,7 +5406,7 @@ static int bind_parse_tls_ticket_keys(char **args, int 
cur_arg, struct proxy *px
        fclose(f);
 
        /* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
-       i-=2;
+       i = (i - 2) % TLS_TICKETS_NO;
        keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
        keys_ref->unique_id = -1;
        conf->keys_ref = keys_ref;
-- 
2.7.0

Reply via email to