trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Session ticket key blocks per certificate in ssl_multicert.config ?
Date Fri, 04 Mar 2016 16:38:21 GMT
Hi all,

while debugging some pretty serious shortcomings of the session tickets and ssl_multicert.config,
I’ve come to realize that the current implementation is (likely) overly complex, with little
additional value. So my question is this:

	How important is it to configure unique session ticket keys for each certificate?


If the answer is “not very” or even “not at all", I’d like to propose that we drop
this from ssl_multicert.config entirely, and only use a records.config configured session
ticket configuration.  We’d retain the existing plumbing of course, including the rotation
mechanisms added recently. This approach also has the nice property of easier management of
these secrets. Of course, this would be an incompatible change, so could only go into v7.0.0.

Thoughts? If you feel that we need to retain the unique ticket key blocks per certificate,
please speak up and explain why.

Cheers,

— Leif


Mime
View raw message