Switching from the old session cache based on Session IDs to TLS Tickets requires an automated way of rotating ticket keys every X hours. The simplest version doesn't require sync support between cp nodes of the same cluster/DC. It just should be able to maintain N versions of the key on a tmpfs backed file and ensure that the file is populated before ats-tls is started after a system reboot
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T92298 Investigate our mitigation strategy for HTTPS response length attacks | |||
Resolved | Vgutierrez | T170567 Support TLSv1.3 | |||
Resolved | Vgutierrez | T245502 ATS TLS session cache efficiency reduced in TLSv1.3 | |||
Resolved | Vgutierrez | T245616 Provide a simple and automated SSL Ticket key generation system for ATS |
Event Timeline
Change 573526 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] systemd: Provide support for multiple intervals on systemd::job::timer
Change 573526 merged by Vgutierrez:
[operations/puppet@production] systemd: Support multiple intervals on job::timer
Change 573977 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Support TLS Session tickets
Change 577569 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm2
Mentioned in SAL (#wikimedia-operations) [2020-03-09T10:58:40Z] <vgutierrez> upload pystemd 0.7.0-1wm1 to apt.wm.o (buster) - T245616
Change 573977 merged by Vgutierrez:
[operations/puppet@production] ATS: Support TLS Session tickets
Change 578327 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Turn on TLS Session tickets on ulsfo
Change 577569 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm2
Mentioned in SAL (#wikimedia-operations) [2020-03-10T11:56:10Z] <vgutierrez> upload trafficserver 8.0.6-1wm2 to apt.wm.o (buster) - T245616
Mentioned in SAL (#wikimedia-operations) [2020-03-10T13:16:39Z] <vgutierrez> upgrade ATS on ulsfo to 8.0.6-1wm2 - T245616
Change 578327 merged by Vgutierrez:
[operations/puppet@production] ATS: Turn on TLS Session tickets on ulsfo
Mentioned in SAL (#wikimedia-operations) [2020-03-10T14:00:33Z] <vgutierrez> reboot cp4026 - T245616
Mentioned in SAL (#wikimedia-operations) [2020-03-10T14:12:38Z] <vgutierrez> Switch to TLS session tickets on ulsfo - T245616
Change 578544 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Re-enable session ID based cache on ulsfo
Change 578544 merged by Vgutierrez:
[operations/puppet@production] ATS: Re-enable session ID based cache on ulsfo
Mentioned in SAL (#wikimedia-operations) [2020-03-10T15:48:21Z] <vgutierrez> re-enabling session id based caching on ulsfo (along with tls session tickets) - T245616
Change 579262 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm3
Change 579262 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm3
Mentioned in SAL (#wikimedia-operations) [2020-03-13T10:09:06Z] <vgutierrez> upload trafficserver 8.0.6-1wm3 to apt.wm.o (buster) - T245616
Change 580872 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix session_ticket_number config name
Change 580872 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix session_ticket_number config name
Change 580951 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo
Change 580951 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo
Mentioned in SAL (#wikimedia-operations) [2020-03-18T14:41:32Z] <vgutierrez> disable TLS session tickets in ulsfo - T245616 T170567
Change 583715 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm4
Change 583715 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm4
Mentioned in SAL (#wikimedia-operations) [2020-03-27T10:04:31Z] <vgutierrez> upload trafficserver 8.0.6-1wm4 to apt.wm.o (buster) - T245616 T170567
Change 583948 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Re-enable TLS tickets in ulsfo
Change 583948 merged by Vgutierrez:
[operations/puppet@production] ATS: Re-enable TLS tickets in ulsfo
Mentioned in SAL (#wikimedia-operations) [2020-03-30T04:32:45Z] <vgutierrez> upgrade ATS to version 8.0.6-1wm4 on ulsfo - T245616
Mentioned in SAL (#wikimedia-operations) [2020-03-30T04:55:10Z] <vgutierrez> Enable TLS Session tickets in ulsfo - T245616
Change 584877 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable TLS Session tickets in eqsin
Change 584877 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable TLS Session tickets in eqsin
Mentioned in SAL (#wikimedia-operations) [2020-03-31T13:31:02Z] <vgutierrez> Enable TLS Session tickets in eqsin - T245616
Change 585426 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams
Change 585426 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams
Mentioned in SAL (#wikimedia-operations) [2020-04-02T08:21:49Z] <vgutierrez> Enable TLS Session tickets in esams - T245616
Change 585492 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw
Change 585492 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw
Mentioned in SAL (#wikimedia-operations) [2020-04-02T14:33:50Z] <vgutierrez> Enable TLS Session tickets in codfw - T245616
Change 585697 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster
Change 585697 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster
Mentioned in SAL (#wikimedia-operations) [2020-04-06T05:16:21Z] <vgutierrez> Enable TLS Session Tickets on eqiad - T245616