[ https://issues.apache.org/jira/browse/TS-4263?focusedWorklogId=28787&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-28787 ]
ASF GitHub Bot logged work on TS-4263: -------------------------------------- Author: ASF GitHub Bot Created on: 12/Sep/16 16:19 Start Date: 12/Sep/16 16:19 Worklog Time Spent: 10m Work Description: GitHub user persiaAziz opened a pull request: https://github.com/apache/trafficserver/pull/1008 TS-4263: keyblock variable configurable via records.config Default value proxy.config.ssl.server.ticket_key.filename is set to NULL * If the ticket_key_filename is not set by the user , then a random keyblock will be used * If user sets the ticket_key_filename bu the the filename is not either present or the file contains <48 bytes, then keyblock will be NULL and assertion will fail You can merge this pull request into a Git repository by running: $ git pull https://github.com/persiaAziz/trafficserver TS-4263 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/1008.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1008 ---- commit 41b48276e5597aebb230657b0f6ee0a93f085c17 Author: Persia Aziz <per...@yahoo-inc.com> Date: 2016-09-12T16:13:55Z TS-4263: keyblock varialbe configurable via records.config ---- Issue Time Tracking ------------------- Worklog Id: (was: 28787) Time Spent: 3.5h (was: 3h 20m) > Session tickets keys in ssl_multicert.config do not work with SNI discovered > hosts > ---------------------------------------------------------------------------------- > > Key: TS-4263 > URL: https://issues.apache.org/jira/browse/TS-4263 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, SSL > Reporter: Leif Hedstrom > Assignee: Syeda Persia Aziz > Labels: A > Fix For: 7.0.0 > > Time Spent: 3.5h > Remaining Estimate: 0h > > If you have a ssl_multicert.config without dest_ip= rules, i.e. requiring SNI > negotiation to get a TLS session, then you can not configure the session > ticket keys block, at all. Meaning, there's no way to share the keys across > more than one machine. > I went down a bit of a rathole trying to fix this, but it's somewhat ugly. At > the point of resuming a session, the SSL call back provides the 16 byte > key-name, but the SNI name is seemingly not available at this point. > A possible solution is to change the lookups to always be on the 16-byte > key-name, and keep a separate lookup table for the key blocks. This is in > itself a little ugly, because the ownerships around SSLCertContext is a > little murky. But it seems the cleanest, and definitely seemed to have been > the intent from OpenSSL's callback signature. > Another option, which could not be done in the 6.x release cycle, is to > remove the ticket_key_name= option from ssl_multicert.config entirely, and > only have a single, global key block configured via records.config. -- This message was sent by Atlassian JIRA (v6.3.4#6332)