Re: relayd TLS ticket and session support accross processes
On Thu, Sep 01, 2016 at 11:27:55AM +0200, Claudio Jeker wrote:
> On Tue, Aug 30, 2016 at 03:51:04PM +0200, Claudio Jeker wrote:
> > On Tue, Aug 30, 2016 at 02:44:17PM +0200, Reyk Floeter wrote:
> > > On Tue, Aug 30, 2016 at 01:22:49PM +0200, Claudio Jeker wrote:
> > > > Here is the latest version of the ticket and tls session cache support.
> > > > Tickets can be disabled and also the session timeout is configurable.
> > > > Same code as before with man page diff
> > > >
> > >
> > > Nice work! I'm curious how this impact production, do you have any
> > > experience to share?
> > >
> > > > Will commit this soonish unless somebody complains
> > >
> > > I do complain, but just a bit. nit-picking below.
> > >
>
> After some more talking to people here a new version that drops the
> session cache and only implements session tickets. Everything modern (aka
> the stuff we care about) implements tickets and they are so much easier to
> work with. The system in place now uses a primary key and a backup key and
> will refresh the tickets for everything that was encrypted with the backup
> key. The keys are rotated every 2h so at max a key is valid for 4h.
> We set the tls session timeout also to 2h so that this value is announced
> as TLS session ticket lifetime hint. It is still possible to disable the
> tickets per relay just in case.
>
See comments below, otherwise OK
> --
> :wq Claudio
>
> Index: ca.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
> retrieving revision 1.16
> diff -u -p -r1.16 ca.c
> --- ca.c 5 Dec 2015 13:13:11 - 1.16
> +++ ca.c 30 Aug 2016 12:59:36 -
> @@ -23,6 +23,7 @@
> #include
> #include
> #include
> +#include
> #include
>
> #include
> @@ -256,6 +257,7 @@ static int
> rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
> int padding, u_int cmd)
> {
> + struct pollfdpfd[1];
> struct ctl_keyop cko;
> int ret = 0;
> objid_t *id;
> @@ -292,9 +294,21 @@ rsae_send_imsg(int flen, const u_char *f
>* operation in OpenSSL's engine layer.
>*/
> imsg_composev(ibuf, cmd, 0, 0, -1, iov, cnt);
> - imsg_flush(ibuf);
> + if (imsg_flush(ibuf) == -1)
> + log_warn("rsae_send_imsg: imsg_flush");
>
> + pfd[0].fd = ibuf->fd;
> + pfd[0].events = POLLIN;
> while (!done) {
> + switch (poll(pfd, 1, TLS_PRIV_SEND_TIMEOUT)) {
> + case -1:
> + fatal("rsae_send_imsg: poll");
> + case 0:
> + log_warnx("rsae_send_imsg: poll timeout");
> + break;
> + default:
> + break;
> + }
> if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
> fatalx("imsg_read");
> if (n == 0)
> Index: config.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/config.c,v
> retrieving revision 1.27
> diff -u -p -r1.27 config.c
> --- config.c 7 Dec 2015 04:03:27 - 1.27
> +++ config.c 31 Aug 2016 12:53:03 -
> @@ -94,7 +94,6 @@ config_init(struct relayd *env)
> bzero(&env->sc_proto_default, sizeof(env->sc_proto_default));
> env->sc_proto_default.id = EMPTY_ID;
> env->sc_proto_default.flags = F_USED;
> - env->sc_proto_default.cache = RELAY_CACHESIZE;
> env->sc_proto_default.tcpflags = TCPFLAG_DEFAULT;
> env->sc_proto_default.tcpbacklog = RELAY_BACKLOG;
> env->sc_proto_default.tlsflags = TLSFLAG_DEFAULT;
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> retrieving revision 1.207
> diff -u -p -r1.207 parse.y
> --- parse.y 21 Jun 2016 21:35:25 - 1.207
> +++ parse.y 1 Sep 2016 08:25:35 -
> @@ -172,13 +172,13 @@ typedef struct {
> %token SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT
> TLS TO
> %token ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL
> RTABLE
> %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE
> PASSWORD ECDH
> -%token EDH CURVE
> +%token EDH CURVE TICKETS
> %token STRING
> %token NUMBER
> %type hostname interface table value optstring
> %type http_type loglevel quick trap
> %type dstmode flag forwardmode retry
> -%type opttls opttlsclient tlscache
> +%type opttls opttlsclient tlstickets
> %type redirect_proto relay_proto match
> %type action ruleaf key_option
> %type tlsdhparams tlsecdhcurve
> @@ -996,7 +996,6 @@ proto : relay_proto PROTO STRING {
> free($3);
> p->id = ++last_proto_id;
>
Re: relayd TLS ticket and session support accross processes
On Tue, Aug 30, 2016 at 03:51:04PM +0200, Claudio Jeker wrote:
> On Tue, Aug 30, 2016 at 02:44:17PM +0200, Reyk Floeter wrote:
> > On Tue, Aug 30, 2016 at 01:22:49PM +0200, Claudio Jeker wrote:
> > > Here is the latest version of the ticket and tls session cache support.
> > > Tickets can be disabled and also the session timeout is configurable.
> > > Same code as before with man page diff
> > >
> >
> > Nice work! I'm curious how this impact production, do you have any
> > experience to share?
> >
> > > Will commit this soonish unless somebody complains
> >
> > I do complain, but just a bit. nit-picking below.
> >
After some more talking to people here a new version that drops the
session cache and only implements session tickets. Everything modern (aka
the stuff we care about) implements tickets and they are so much easier to
work with. The system in place now uses a primary key and a backup key and
will refresh the tickets for everything that was encrypted with the backup
key. The keys are rotated every 2h so at max a key is valid for 4h.
We set the tls session timeout also to 2h so that this value is announced
as TLS session ticket lifetime hint. It is still possible to disable the
tickets per relay just in case.
--
:wq Claudio
Index: ca.c
===
RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
retrieving revision 1.16
diff -u -p -r1.16 ca.c
--- ca.c5 Dec 2015 13:13:11 - 1.16
+++ ca.c30 Aug 2016 12:59:36 -
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
@@ -256,6 +257,7 @@ static int
rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
int padding, u_int cmd)
{
+ struct pollfdpfd[1];
struct ctl_keyop cko;
int ret = 0;
objid_t *id;
@@ -292,9 +294,21 @@ rsae_send_imsg(int flen, const u_char *f
* operation in OpenSSL's engine layer.
*/
imsg_composev(ibuf, cmd, 0, 0, -1, iov, cnt);
- imsg_flush(ibuf);
+ if (imsg_flush(ibuf) == -1)
+ log_warn("rsae_send_imsg: imsg_flush");
+ pfd[0].fd = ibuf->fd;
+ pfd[0].events = POLLIN;
while (!done) {
+ switch (poll(pfd, 1, TLS_PRIV_SEND_TIMEOUT)) {
+ case -1:
+ fatal("rsae_send_imsg: poll");
+ case 0:
+ log_warnx("rsae_send_imsg: poll timeout");
+ break;
+ default:
+ break;
+ }
if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
fatalx("imsg_read");
if (n == 0)
Index: config.c
===
RCS file: /cvs/src/usr.sbin/relayd/config.c,v
retrieving revision 1.27
diff -u -p -r1.27 config.c
--- config.c7 Dec 2015 04:03:27 - 1.27
+++ config.c31 Aug 2016 12:53:03 -
@@ -94,7 +94,6 @@ config_init(struct relayd *env)
bzero(&env->sc_proto_default, sizeof(env->sc_proto_default));
env->sc_proto_default.id = EMPTY_ID;
env->sc_proto_default.flags = F_USED;
- env->sc_proto_default.cache = RELAY_CACHESIZE;
env->sc_proto_default.tcpflags = TCPFLAG_DEFAULT;
env->sc_proto_default.tcpbacklog = RELAY_BACKLOG;
env->sc_proto_default.tlsflags = TLSFLAG_DEFAULT;
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.207
diff -u -p -r1.207 parse.y
--- parse.y 21 Jun 2016 21:35:25 - 1.207
+++ parse.y 1 Sep 2016 08:25:35 -
@@ -172,13 +172,13 @@ typedef struct {
%token SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS TO
%token ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDH
-%token EDH CURVE
+%token EDH CURVE TICKETS
%token STRING
%token NUMBER
%typehostname interface table value optstring
%typehttp_type loglevel quick trap
%typedstmode flag forwardmode retry
-%typeopttls opttlsclient tlscache
+%typeopttls opttlsclient tlstickets
%typeredirect_proto relay_proto match
%typeaction ruleaf key_option
%typetlsdhparams tlsecdhcurve
@@ -996,7 +996,6 @@ proto : relay_proto PROTO STRING {
free($3);
p->id = ++last_proto_id;
p->type = $1;
- p->cache = RELAY_CACHESIZE;
p->tcpflags = TCPFLAG_DEFAULT;
p->tlsflags = TLSFLAG_DEFAULT;
p->tcpbacklog = RELAY_BACKLOG;
@@ -1091,7 +1090,7 @@ tlsflags_l: tlsflags comma tlsflags_l
| tls
Re: relayd TLS ticket and session support accross processes
Quite Frankly, we're happy to support what's needed in relayd,
But first relayd needs to actually convert to use libtls instead of bare
knuckles shit
Until then we're just making the problem worse.
IMO, we should convert relayd to use libtls - (add what we need to libtls
to support it)
before adding *more* stuff to relayd using bareknuckles OpenSSL shit.. or
we are just making the problem worse.
We should convert it (and deal with whatever needs it has in libtls) before
adding
more functionality to it
-Bob
On Tue, Aug 30, 2016 at 8:11 AM, Reyk Floeter wrote:
> On Tue, Aug 30, 2016 at 03:51:04PM +0200, Claudio Jeker wrote:
> > On Tue, Aug 30, 2016 at 02:44:17PM +0200, Reyk Floeter wrote:
> > > On Tue, Aug 30, 2016 at 01:22:49PM +0200, Claudio Jeker wrote:
> > > > Here is the latest version of the ticket and tls session cache
> support.
> > > > Tickets can be disabled and also the session timeout is configurable.
> > > > Same code as before with man page diff
> > > >
> > >
> > > Nice work! I'm curious how this impact production, do you have any
> > > experience to share?
> > >
> > > > Will commit this soonish unless somebody complains
> > >
> > > I do complain, but just a bit. nit-picking below.
> > >
> > > Reyk
> > >
> > > > --
> > > > :wq Claudio
> > > >
> > > > Index: Makefile
> > > > ===
> > > > RCS file: /cvs/src/usr.sbin/relayd/Makefile,v
> > > > retrieving revision 1.29
> > > > diff -u -p -r1.29 Makefile
> > > > --- Makefile 21 Nov 2015 12:37:42 - 1.29
> > > > +++ Makefile 19 Jul 2016 08:33:26 -
> > > > @@ -6,7 +6,7 @@ SRCS+=agentx.c ca.c carp.c check_icmp.
> > > > check_tcp.c config.c control.c hce.c log.c name2id.c \
> > > > pfe.c pfe_filter.c pfe_route.c proc.c \
> > > > relay.c relay_http.c relay_udp.c relayd.c \
> > > > - shuffle.c snmp.c ssl.c util.c
> > > > + shuffle.c snmp.c ssl.c tlsc.c util.c
> > > > MAN= relayd.8 relayd.conf.5
> > > >
> > > > LDADD= -levent -lssl -lcrypto -lutil
> > > > Index: ca.c
> > > > ===
> > > > RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
> > > > retrieving revision 1.16
> > > > diff -u -p -r1.16 ca.c
> > > > --- ca.c 5 Dec 2015 13:13:11 - 1.16
> > > > +++ ca.c 19 Jul 2016 13:18:33 -
> > > > @@ -23,6 +23,7 @@
> > > > #include
> > > > #include
> > > > #include
> > > > +#include
> > > > #include
> > > >
> > > > #include
> > > > @@ -256,6 +257,7 @@ static int
> > > > rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
> > > > int padding, u_int cmd)
> > > > {
> > > > + struct pollfdpfd[1];
> > > > struct ctl_keyop cko;
> > > > int ret = 0;
> > > > objid_t *id;
> > > > @@ -292,9 +294,21 @@ rsae_send_imsg(int flen, const u_char *f
> > > >* operation in OpenSSL's engine layer.
> > > >*/
> > > > imsg_composev(ibuf, cmd, 0, 0, -1, iov, cnt);
> > > > - imsg_flush(ibuf);
> > > > + if (imsg_flush(ibuf) == -1)
> > > > + log_warn("rsae_send_imsg: imsg_flush");
> > > >
> > > > + pfd[0].fd = ibuf->fd;
> > > > + pfd[0].events = POLLIN;
> > > > while (!done) {
> > > > + switch (poll(pfd, 1, 5 * 1000)) {
> > >
> > > I don't like this timeout number here, please turn it into a #define
> > > and put it into relayd.h, eg.
> > >
> > > #define TLS_PRIV_SEND_TIMEOUT 5000/* 5 sec */
> > >
> >
> > Done.
> >
> > > > + case -1:
> > > > + fatal("rsae_send_imsg: poll");
> > > > + case 0:
> > > > + log_warnx("rsae_send_imsg: poll timeout");
> > > > + break;
> > > > + default:
> > > > + break;
> > > > + }
> > > > if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
> > > > fatalx("imsg_read");
> > > > if (n == 0)
> > > > Index: config.c
> > > > ===
> > > > RCS file: /cvs/src/usr.sbin/relayd/config.c,v
> > > > retrieving revision 1.27
> > > > diff -u -p -r1.27 config.c
> > > > --- config.c 7 Dec 2015 04:03:27 - 1.27
> > > > +++ config.c 18 Jul 2016 13:01:35 -
> > > > @@ -51,6 +51,7 @@ config_init(struct relayd *env)
> > > > ps->ps_what[PROC_CA] = CONFIG_RELAYS;
> > > > ps->ps_what[PROC_RELAY] = CONFIG_RELAYS|
> > > > CONFIG_TABLES|CONFIG_PROTOS|CONFIG_CA_ENGINE;
> > > > + ps->ps_what[PROC_TLSC] = 0;
> > > > }
> > > >
> > > > /* Other configuration */
> > > > Index: parse.y
> > > > ===
> > > > RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> > > > retrieving revision 1.207
> > > > diff -u -p -r1.207 parse.y
> > > > --- parse.y 21 Jun 2016 21:35:25 - 1.207
> > > > +++ parse.y 30 Aug 2016 10:50:16 -
> >
Re: relayd TLS ticket and session support accross processes
On Tue, Aug 30, 2016 at 03:51:04PM +0200, Claudio Jeker wrote:
> On Tue, Aug 30, 2016 at 02:44:17PM +0200, Reyk Floeter wrote:
> > On Tue, Aug 30, 2016 at 01:22:49PM +0200, Claudio Jeker wrote:
> > > Here is the latest version of the ticket and tls session cache support.
> > > Tickets can be disabled and also the session timeout is configurable.
> > > Same code as before with man page diff
> > >
> >
> > Nice work! I'm curious how this impact production, do you have any
> > experience to share?
> >
> > > Will commit this soonish unless somebody complains
> >
> > I do complain, but just a bit. nit-picking below.
> >
> > Reyk
> >
> > > --
> > > :wq Claudio
> > >
> > > Index: Makefile
> > > ===
> > > RCS file: /cvs/src/usr.sbin/relayd/Makefile,v
> > > retrieving revision 1.29
> > > diff -u -p -r1.29 Makefile
> > > --- Makefile 21 Nov 2015 12:37:42 - 1.29
> > > +++ Makefile 19 Jul 2016 08:33:26 -
> > > @@ -6,7 +6,7 @@ SRCS+=agentx.c ca.c carp.c check_icmp.
> > > check_tcp.c config.c control.c hce.c log.c name2id.c \
> > > pfe.c pfe_filter.c pfe_route.c proc.c \
> > > relay.c relay_http.c relay_udp.c relayd.c \
> > > - shuffle.c snmp.c ssl.c util.c
> > > + shuffle.c snmp.c ssl.c tlsc.c util.c
> > > MAN= relayd.8 relayd.conf.5
> > >
> > > LDADD= -levent -lssl -lcrypto -lutil
> > > Index: ca.c
> > > ===
> > > RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
> > > retrieving revision 1.16
> > > diff -u -p -r1.16 ca.c
> > > --- ca.c 5 Dec 2015 13:13:11 - 1.16
> > > +++ ca.c 19 Jul 2016 13:18:33 -
> > > @@ -23,6 +23,7 @@
> > > #include
> > > #include
> > > #include
> > > +#include
> > > #include
> > >
> > > #include
> > > @@ -256,6 +257,7 @@ static int
> > > rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
> > > int padding, u_int cmd)
> > > {
> > > + struct pollfdpfd[1];
> > > struct ctl_keyop cko;
> > > int ret = 0;
> > > objid_t *id;
> > > @@ -292,9 +294,21 @@ rsae_send_imsg(int flen, const u_char *f
> > >* operation in OpenSSL's engine layer.
> > >*/
> > > imsg_composev(ibuf, cmd, 0, 0, -1, iov, cnt);
> > > - imsg_flush(ibuf);
> > > + if (imsg_flush(ibuf) == -1)
> > > + log_warn("rsae_send_imsg: imsg_flush");
> > >
> > > + pfd[0].fd = ibuf->fd;
> > > + pfd[0].events = POLLIN;
> > > while (!done) {
> > > + switch (poll(pfd, 1, 5 * 1000)) {
> >
> > I don't like this timeout number here, please turn it into a #define
> > and put it into relayd.h, eg.
> >
> > #define TLS_PRIV_SEND_TIMEOUT 5000/* 5 sec */
> >
>
> Done.
>
> > > + case -1:
> > > + fatal("rsae_send_imsg: poll");
> > > + case 0:
> > > + log_warnx("rsae_send_imsg: poll timeout");
> > > + break;
> > > + default:
> > > + break;
> > > + }
> > > if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
> > > fatalx("imsg_read");
> > > if (n == 0)
> > > Index: config.c
> > > ===
> > > RCS file: /cvs/src/usr.sbin/relayd/config.c,v
> > > retrieving revision 1.27
> > > diff -u -p -r1.27 config.c
> > > --- config.c 7 Dec 2015 04:03:27 - 1.27
> > > +++ config.c 18 Jul 2016 13:01:35 -
> > > @@ -51,6 +51,7 @@ config_init(struct relayd *env)
> > > ps->ps_what[PROC_CA] = CONFIG_RELAYS;
> > > ps->ps_what[PROC_RELAY] = CONFIG_RELAYS|
> > > CONFIG_TABLES|CONFIG_PROTOS|CONFIG_CA_ENGINE;
> > > + ps->ps_what[PROC_TLSC] = 0;
> > > }
> > >
> > > /* Other configuration */
> > > Index: parse.y
> > > ===
> > > RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> > > retrieving revision 1.207
> > > diff -u -p -r1.207 parse.y
> > > --- parse.y 21 Jun 2016 21:35:25 - 1.207
> > > +++ parse.y 30 Aug 2016 10:50:16 -
> > > @@ -172,13 +172,13 @@ typedef struct {
> > > %token SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT
> > > TLS TO
> > > %token ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL
> > > RTABLE
> > > %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE
> > > PASSWORD ECDH
> > > -%token EDH CURVE
> > > +%token EDH CURVE TICKETS
> > > %token STRING
> > > %token NUMBER
> > > %type hostname interface table value optstring
> > > %type http_type loglevel quick trap
> > > %type dstmode flag forwardmode retry
> > > -%type opttls opttlsclient tlscache
> > > +%type opttls opttlsclient tlscache tlstickets
> > > tlstimeout
> > > %type redirect_proto relay_pr
Re: relayd TLS ticket and session support accross processes
On Tue, Aug 30, 2016 at 02:44:17PM +0200, Reyk Floeter wrote:
> On Tue, Aug 30, 2016 at 01:22:49PM +0200, Claudio Jeker wrote:
> > Here is the latest version of the ticket and tls session cache support.
> > Tickets can be disabled and also the session timeout is configurable.
> > Same code as before with man page diff
> >
>
> Nice work! I'm curious how this impact production, do you have any
> experience to share?
>
> > Will commit this soonish unless somebody complains
>
> I do complain, but just a bit. nit-picking below.
>
> Reyk
>
> > --
> > :wq Claudio
> >
> > Index: Makefile
> > ===
> > RCS file: /cvs/src/usr.sbin/relayd/Makefile,v
> > retrieving revision 1.29
> > diff -u -p -r1.29 Makefile
> > --- Makefile21 Nov 2015 12:37:42 - 1.29
> > +++ Makefile19 Jul 2016 08:33:26 -
> > @@ -6,7 +6,7 @@ SRCS+= agentx.c ca.c carp.c check_icmp.
> > check_tcp.c config.c control.c hce.c log.c name2id.c \
> > pfe.c pfe_filter.c pfe_route.c proc.c \
> > relay.c relay_http.c relay_udp.c relayd.c \
> > - shuffle.c snmp.c ssl.c util.c
> > + shuffle.c snmp.c ssl.c tlsc.c util.c
> > MAN= relayd.8 relayd.conf.5
> >
> > LDADD= -levent -lssl -lcrypto -lutil
> > Index: ca.c
> > ===
> > RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
> > retrieving revision 1.16
> > diff -u -p -r1.16 ca.c
> > --- ca.c5 Dec 2015 13:13:11 - 1.16
> > +++ ca.c19 Jul 2016 13:18:33 -
> > @@ -23,6 +23,7 @@
> > #include
> > #include
> > #include
> > +#include
> > #include
> >
> > #include
> > @@ -256,6 +257,7 @@ static int
> > rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
> > int padding, u_int cmd)
> > {
> > + struct pollfdpfd[1];
> > struct ctl_keyop cko;
> > int ret = 0;
> > objid_t *id;
> > @@ -292,9 +294,21 @@ rsae_send_imsg(int flen, const u_char *f
> > * operation in OpenSSL's engine layer.
> > */
> > imsg_composev(ibuf, cmd, 0, 0, -1, iov, cnt);
> > - imsg_flush(ibuf);
> > + if (imsg_flush(ibuf) == -1)
> > + log_warn("rsae_send_imsg: imsg_flush");
> >
> > + pfd[0].fd = ibuf->fd;
> > + pfd[0].events = POLLIN;
> > while (!done) {
> > + switch (poll(pfd, 1, 5 * 1000)) {
>
> I don't like this timeout number here, please turn it into a #define
> and put it into relayd.h, eg.
>
> #define TLS_PRIV_SEND_TIMEOUT 5000/* 5 sec */
>
Done.
> > + case -1:
> > + fatal("rsae_send_imsg: poll");
> > + case 0:
> > + log_warnx("rsae_send_imsg: poll timeout");
> > + break;
> > + default:
> > + break;
> > + }
> > if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
> > fatalx("imsg_read");
> > if (n == 0)
> > Index: config.c
> > ===
> > RCS file: /cvs/src/usr.sbin/relayd/config.c,v
> > retrieving revision 1.27
> > diff -u -p -r1.27 config.c
> > --- config.c7 Dec 2015 04:03:27 - 1.27
> > +++ config.c18 Jul 2016 13:01:35 -
> > @@ -51,6 +51,7 @@ config_init(struct relayd *env)
> > ps->ps_what[PROC_CA] = CONFIG_RELAYS;
> > ps->ps_what[PROC_RELAY] = CONFIG_RELAYS|
> > CONFIG_TABLES|CONFIG_PROTOS|CONFIG_CA_ENGINE;
> > + ps->ps_what[PROC_TLSC] = 0;
> > }
> >
> > /* Other configuration */
> > Index: parse.y
> > ===
> > RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> > retrieving revision 1.207
> > diff -u -p -r1.207 parse.y
> > --- parse.y 21 Jun 2016 21:35:25 - 1.207
> > +++ parse.y 30 Aug 2016 10:50:16 -
> > @@ -172,13 +172,13 @@ typedef struct {
> > %token SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT
> > TLS TO
> > %token ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL
> > RTABLE
> > %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE
> > PASSWORD ECDH
> > -%token EDH CURVE
> > +%token EDH CURVE TICKETS
> > %token STRING
> > %token NUMBER
> > %typehostname interface table value optstring
> > %typehttp_type loglevel quick trap
> > %typedstmode flag forwardmode retry
> > -%typeopttls opttlsclient tlscache
> > +%typeopttls opttlsclient tlscache tlstickets
> > tlstimeout
> > %typeredirect_proto relay_proto match
> > %typeaction ruleaf key_option
> > %typetlsdhparams tlsecdhcurve
> > @@ -1092,6 +1092,8 @@ tlsflags_l: tlsflags comma tlsflags_l
> > ;
> >
> > tlsflags : SESSION CACHE tlsca
Re: relayd TLS ticket and session support accross processes
On Tue, Aug 30, 2016 at 01:22:49PM +0200, Claudio Jeker wrote:
> Here is the latest version of the ticket and tls session cache support.
> Tickets can be disabled and also the session timeout is configurable.
> Same code as before with man page diff
>
Nice work! I'm curious how this impact production, do you have any
experience to share?
> Will commit this soonish unless somebody complains
I do complain, but just a bit. nit-picking below.
Reyk
> --
> :wq Claudio
>
> Index: Makefile
> ===
> RCS file: /cvs/src/usr.sbin/relayd/Makefile,v
> retrieving revision 1.29
> diff -u -p -r1.29 Makefile
> --- Makefile 21 Nov 2015 12:37:42 - 1.29
> +++ Makefile 19 Jul 2016 08:33:26 -
> @@ -6,7 +6,7 @@ SRCS+=agentx.c ca.c carp.c check_icmp.
> check_tcp.c config.c control.c hce.c log.c name2id.c \
> pfe.c pfe_filter.c pfe_route.c proc.c \
> relay.c relay_http.c relay_udp.c relayd.c \
> - shuffle.c snmp.c ssl.c util.c
> + shuffle.c snmp.c ssl.c tlsc.c util.c
> MAN= relayd.8 relayd.conf.5
>
> LDADD= -levent -lssl -lcrypto -lutil
> Index: ca.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
> retrieving revision 1.16
> diff -u -p -r1.16 ca.c
> --- ca.c 5 Dec 2015 13:13:11 - 1.16
> +++ ca.c 19 Jul 2016 13:18:33 -
> @@ -23,6 +23,7 @@
> #include
> #include
> #include
> +#include
> #include
>
> #include
> @@ -256,6 +257,7 @@ static int
> rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
> int padding, u_int cmd)
> {
> + struct pollfdpfd[1];
> struct ctl_keyop cko;
> int ret = 0;
> objid_t *id;
> @@ -292,9 +294,21 @@ rsae_send_imsg(int flen, const u_char *f
>* operation in OpenSSL's engine layer.
>*/
> imsg_composev(ibuf, cmd, 0, 0, -1, iov, cnt);
> - imsg_flush(ibuf);
> + if (imsg_flush(ibuf) == -1)
> + log_warn("rsae_send_imsg: imsg_flush");
>
> + pfd[0].fd = ibuf->fd;
> + pfd[0].events = POLLIN;
> while (!done) {
> + switch (poll(pfd, 1, 5 * 1000)) {
I don't like this timeout number here, please turn it into a #define
and put it into relayd.h, eg.
#define TLS_PRIV_SEND_TIMEOUT 5000/* 5 sec */
> + case -1:
> + fatal("rsae_send_imsg: poll");
> + case 0:
> + log_warnx("rsae_send_imsg: poll timeout");
> + break;
> + default:
> + break;
> + }
> if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
> fatalx("imsg_read");
> if (n == 0)
> Index: config.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/config.c,v
> retrieving revision 1.27
> diff -u -p -r1.27 config.c
> --- config.c 7 Dec 2015 04:03:27 - 1.27
> +++ config.c 18 Jul 2016 13:01:35 -
> @@ -51,6 +51,7 @@ config_init(struct relayd *env)
> ps->ps_what[PROC_CA] = CONFIG_RELAYS;
> ps->ps_what[PROC_RELAY] = CONFIG_RELAYS|
> CONFIG_TABLES|CONFIG_PROTOS|CONFIG_CA_ENGINE;
> + ps->ps_what[PROC_TLSC] = 0;
> }
>
> /* Other configuration */
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> retrieving revision 1.207
> diff -u -p -r1.207 parse.y
> --- parse.y 21 Jun 2016 21:35:25 - 1.207
> +++ parse.y 30 Aug 2016 10:50:16 -
> @@ -172,13 +172,13 @@ typedef struct {
> %token SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT
> TLS TO
> %token ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL
> RTABLE
> %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE
> PASSWORD ECDH
> -%token EDH CURVE
> +%token EDH CURVE TICKETS
> %token STRING
> %token NUMBER
> %type hostname interface table value optstring
> %type http_type loglevel quick trap
> %type dstmode flag forwardmode retry
> -%type opttls opttlsclient tlscache
> +%type opttls opttlsclient tlscache tlstickets
> tlstimeout
> %type redirect_proto relay_proto match
> %type action ruleaf key_option
> %type tlsdhparams tlsecdhcurve
> @@ -1092,6 +1092,8 @@ tlsflags_l : tlsflags comma tlsflags_l
> ;
>
> tlsflags : SESSION CACHE tlscache{ proto->cache = $3; }
> + | SESSION TICKETS tlstickets{ proto->tickets = $3; }
> + | SESSION TIMEOUT tlstimeout{ proto->tlstimeout = $3; }
> | CIPHERS STRING{
>
