[jira] [Work logged] (TS-4263) Session tickets keys in ssl_multicert.config do not work with SNI discovered hosts

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/TS-4263?focusedWorklogId=28789&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-28789
 ]

ASF GitHub Bot logged work on TS-4263:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Sep/16 16:21
            Start Date: 12/Sep/16 16:21
    Worklog Time Spent: 10m 
      Work Description: Github user jpeach commented on a diff in the pull 
request:

    https://github.com/apache/trafficserver/pull/1008#discussion_r78404752
  
    --- Diff: iocore/net/SSLUtils.cc ---
    @@ -2055,9 +2055,12 @@ SSLParseCertificateConfiguration(const 
SSLConfigParams *params, SSLCertLookup *l
     
       // load the global ticket key for later use
       REC_ReadConfigStringAlloc(ticket_key_filename, 
"proxy.config.ssl.server.ticket_key.filename");
    -  ats_scoped_str 
ticket_key_path(Layout::relative_to(params->serverCertPathOnly, 
ticket_key_filename));
    -  global_default_keyblock = ssl_create_ticket_keyblock(ticket_key_path); 
// this function just returns a keyblock
    -
    +  if(ticket_key_filename!=NULL){
    +    ats_scoped_str 
ticket_key_path(Layout::relative_to(params->serverCertPathOnly, 
ticket_key_filename));
    +    global_default_keyblock = ssl_create_ticket_keyblock(ticket_key_path); 
// this function just returns a keyblock
    +  }
    +  else
    +    global_default_keyblock = ssl_create_ticket_keyblock(NULL); // this 
function just returns a keyblock
    --- End diff --
    
    Please clang-format. All blocks must be enclosed in ``{`` ``}``.


Issue Time Tracking
-------------------

    Worklog Id:     (was: 28789)
    Time Spent: 3h 40m  (was: 3.5h)

> Session tickets keys in ssl_multicert.config do not work with SNI discovered 
> hosts
> ----------------------------------------------------------------------------------
>
>                 Key: TS-4263
>                 URL: https://issues.apache.org/jira/browse/TS-4263
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, SSL
>            Reporter: Leif Hedstrom
>            Assignee: Syeda Persia Aziz
>              Labels: A
>             Fix For: 7.0.0
>
>          Time Spent: 3h 40m
>  Remaining Estimate: 0h
>
> If you have a ssl_multicert.config without dest_ip= rules, i.e. requiring SNI 
> negotiation to get a TLS session, then you can not configure the session 
> ticket keys block, at all. Meaning, there's no way to share the keys across 
> more than one machine.
> I went down a bit of a rathole trying to fix this, but it's somewhat ugly. At 
> the point of resuming a session, the SSL call back provides the 16 byte 
> key-name, but the SNI name is seemingly not available at this point.
> A possible solution is to change the lookups to always be on the 16-byte 
> key-name, and keep a separate lookup table for the key blocks. This is in 
> itself a little ugly, because the ownerships around SSLCertContext is a 
> little murky. But it seems the cleanest, and definitely seemed to have been 
> the intent from OpenSSL's callback signature.
> Another option, which could not be done in the 6.x release cycle, is to 
> remove the ticket_key_name= option from ssl_multicert.config entirely, and 
> only have a single, global key block configured via records.config.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)