[tls][tickets]: add ability to specify lifetime hint #9556
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Description:
allow to specify tls ticket's lifetime hint for pre TLSv1.3 clients. today, by default, this value is equal to 2 hours, which could be suboptimal in some scenarios (e.g. envoy being used as edge l7 proxy to server real user's traffic, where user could be inactive for more than 2h (e.g. sleeping etc)).
Risk Level: LOW
Testing:
new unittests + manual tests (w/ openssl s_client; see "ticket lifetime hint" field):
TLSv1.2 default (no session_timeout param in config):
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: B1A9C4D45CF77D90039A136AFD6C0D9DEB7C000D109E1A61681F064E4DE9465D
Session-ID-ctx:
Master-Key: E46750473598D278BDCA28DF3AC4174EAFFC6521AF57D1CB6532934B8EED354D302600966DE5C90E684DA9BE12252CDD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
TLSv1.2 w/ custom timeout of 2307 seconds
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 8413AAECF8FAEBF7D2148C81C716101BD6315F1A64C735802008DF3CB0C8D8E1
Session-ID-ctx:
Master-Key: C1B7B8238860132434ED61FDABF43093230F4A8A7F0ED0E9CEA78AC198B2F9A90E5FC19238E4D047F1C208D267E05E17
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 2307 (seconds)
TLS session ticket:
TLSv1.3 w/ custom timeout of 2307 (which is ignored by TLSv1.3)
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9B13E684C5F8210C1FA4F49F733CEAB85B38D87EF59D63A39B05E11F81BCF1CF
Session-ID-ctx:
Resumption PSK: 2BF43FB996DA64E68877E1FA10D79D62F5AAA0DE33D601E1D6C21CA74CBF5BCA2F1A026E83FB165D31612E3E1F52E7C9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
Docs Changes:
Release Notes:
Signed-off-by: Nikita V. Shirokov <tehnerd@tehnerd.com>
|
cc: @mattklein123 (sorry for explicit nag; this is rework (proper merge w/ upstream) of #9149 ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is rework of #9149 (no changes to that one; mostly to workaround my bad merge in 9149)
Description:
allow to specify tls ticket's lifetime hint for pre TLSv1.3 clients. today, by default, this value is equal to 2 hours, which could be suboptimal in some scenarios (e.g. envoy being used as edge l7 proxy to server real user's traffic, where user could be inactive for more than 2h (e.g. sleeping etc)).
Risk Level: LOW
Testing:
new unittests + manual tests (w/ openssl s_client; see "ticket lifetime hint" field):
TLSv1.2 default (no session_timeout param in config):
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: B1A9C4D45CF77D90039A136AFD6C0D9DEB7C000D109E1A61681F064E4DE9465D
Session-ID-ctx:
Master-Key: E46750473598D278BDCA28DF3AC4174EAFFC6521AF57D1CB6532934B8EED354D302600966DE5C90E684DA9BE12252CDD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
TLSv1.2 w/ custom timeout of 2307 seconds
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 8413AAECF8FAEBF7D2148C81C716101BD6315F1A64C735802008DF3CB0C8D8E1
Session-ID-ctx:
Master-Key: C1B7B8238860132434ED61FDABF43093230F4A8A7F0ED0E9CEA78AC198B2F9A90E5FC19238E4D047F1C208D267E05E17
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 2307 (seconds)
TLS session ticket:
TLSv1.3 w/ custom timeout of 2307 (which is ignored by TLSv1.3)
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9B13E684C5F8210C1FA4F49F733CEAB85B38D87EF59D63A39B05E11F81BCF1CF
Session-ID-ctx:
Resumption PSK: 2BF43FB996DA64E68877E1FA10D79D62F5AAA0DE33D601E1D6C21CA74CBF5BCA2F1A026E83FB165D31612E3E1F52E7C9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
Docs Changes:
Release Notes:
Signed-off-by: Nikita V. Shirokov tehnerd@tehnerd.com
For an explanation of how to fill out the fields, please see the relevant section
in PULL_REQUESTS.md
Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
[Optional Fixes #Issue]
[Optional Deprecated:]