trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Thompson <da...@yahoo-inc.com>
Subject Re: Session ticket key blocks per certificate in ssl_multicert.config ?
Date Mon, 07 Mar 2016 17:01:31 GMT
I agree.   Unique TLS session ticket key per server or per server cluster, for sure, but
I have difficulty imagining pragmatic value in managing this on a per certificate level, especially
given the trade off you mention.
Dave 

    On Friday, March 4, 2016 10:39 AM, Leif Hedstrom <zwoop@apache.org> wrote:
 

 Hi all,

while debugging some pretty serious shortcomings of the session tickets and ssl_multicert.config,
I’ve come to realize that the current implementation is (likely) overly complex, with little
additional value. So my question is this:

    How important is it to configure unique session ticket keys for each certificate?


If the answer is “not very” or even “not at all", I’d like to propose that we drop
this from ssl_multicert.config entirely, and only use a records.config configured session
ticket configuration.  We’d retain the existing plumbing of course, including the rotation
mechanisms added recently. This approach also has the nice property of easier management of
these secrets. Of course, this would be an incompatible change, so could only go into v7.0.0.

Thoughts? If you feel that we need to retain the unique ticket key blocks per certificate,
please speak up and explain why.

Cheers,

— Leif


  
Mime
View raw message