Provide a simple and automated SSL Ticket key generation system for ATS
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Vgutierrez
	Feb 19 2020, 1:22 PM

Description

Switching from the old session cache based on Session IDs to TLS Tickets requires an automated way of rotating ticket keys every X hours. The simplest version doesn't require sync support between cp nodes of the same cluster/DC. It just should be able to maintain N versions of the key on a tmpfs backed file and ensure that the file is populated before ats-tls is started after a system reboot

Details

Subject	Repo	Branch	Lines +/-
ATS: Enable inbound TLSv1.3 on the upload cluster	operations/puppet	production	+44 -187
ATS: Enable inbound TLSv1.3 in upload@codfw	operations/puppet	production	+42 -0
ATS: Enable inbound TLSv1.3 in upload@esams	operations/puppet	production	+42 -0
ATS: Enable TLS Session tickets in eqsin	operations/puppet	production	+23 -2
ATS: Re-enable TLS tickets in ulsfo	operations/puppet	production	+4 -2
Release 8.0.6-1wm4	operations/debs/trafficserver	master	+23 -0
ATS: Disable TLS Session tickets in ulsfo	operations/puppet	production	+2 -4
ATS: Fix session_ticket_number config name	operations/puppet	production	+1 -1
Release 8.0.6-1wm3	operations/debs/trafficserver	master	+67 -0
ATS: Re-enable session ID based cache on ulsfo	operations/puppet	production	+4 -1
ATS: Turn on TLS Session tickets on ulsfo	operations/puppet	production	+26 -3
Release 8.0.6-1wm2	operations/debs/trafficserver	master	+28 -0
ATS: Support TLS Session tickets	operations/puppet	production	+153 -1
systemd: Support multiple intervals on job::timer	operations/puppet	production	+29 -1

Related Objects
Search...

Status	Assigned	Task
Open	None	T92298 Investigate our mitigation strategy for HTTPS response length attacks
Resolved	Vgutierrez	T170567 Support TLSv1.3
Resolved	Vgutierrez	T245502 ATS TLS session cache efficiency reduced in TLSv1.3
Resolved	Vgutierrez	T245616 Provide a simple and automated SSL Ticket key generation system for ATS

Event Timeline

Vgutierrez triaged this task as Medium priority.Feb 19 2020, 1:22 PM

Vgutierrez created this task.

Vgutierrez moved this task from Backlog to TLS on the Traffic board.

MoritzMuehlenhoff subscribed.Feb 19 2020, 5:03 PM

Change 573526 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] systemd: Provide support for multiple intervals on systemd::job::timer

https://gerrit.wikimedia.org/r/573526

gerritbot added a project: Patch-For-Review.Feb 20 2020, 9:40 AM

Change 573526 merged by Vgutierrez:
[operations/puppet@production] systemd: Support multiple intervals on job::timer

https://gerrit.wikimedia.org/r/573526

Maintenance_bot removed a project: Patch-For-Review.Feb 20 2020, 11:10 AM

Change 573977 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Support TLS Session tickets

https://gerrit.wikimedia.org/r/573977

gerritbot added a project: Patch-For-Review.Feb 21 2020, 11:20 AM

Ladsgroup subscribed.Mar 2 2020, 9:53 AM

Change 577569 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm2

https://gerrit.wikimedia.org/r/577569

Mentioned in SAL (#wikimedia-operations) [2020-03-09T10:58:40Z] <vgutierrez> upload pystemd 0.7.0-1wm1 to apt.wm.o (buster) - T245616

Change 573977 merged by Vgutierrez:
[operations/puppet@production] ATS: Support TLS Session tickets

https://gerrit.wikimedia.org/r/573977

Change 578327 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Turn on TLS Session tickets on ulsfo

https://gerrit.wikimedia.org/r/578327

Change 577569 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm2

https://gerrit.wikimedia.org/r/577569

Mentioned in SAL (#wikimedia-operations) [2020-03-10T11:56:10Z] <vgutierrez> upload trafficserver 8.0.6-1wm2 to apt.wm.o (buster) - T245616

Mentioned in SAL (#wikimedia-operations) [2020-03-10T13:16:39Z] <vgutierrez> upgrade ATS on ulsfo to 8.0.6-1wm2 - T245616

Change 578327 merged by Vgutierrez:
[operations/puppet@production] ATS: Turn on TLS Session tickets on ulsfo

https://gerrit.wikimedia.org/r/578327

Mentioned in SAL (#wikimedia-operations) [2020-03-10T14:00:33Z] <vgutierrez> reboot cp4026 - T245616

Maintenance_bot removed a project: Patch-For-Review.Mar 10 2020, 2:10 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-10T14:12:38Z] <vgutierrez> Switch to TLS session tickets on ulsfo - T245616

Change 578544 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Re-enable session ID based cache on ulsfo

https://gerrit.wikimedia.org/r/578544

gerritbot added a project: Patch-For-Review.Mar 10 2020, 3:27 PM

Change 578544 merged by Vgutierrez:
[operations/puppet@production] ATS: Re-enable session ID based cache on ulsfo

https://gerrit.wikimedia.org/r/578544

Mentioned in SAL (#wikimedia-operations) [2020-03-10T15:48:21Z] <vgutierrez> re-enabling session id based caching on ulsfo (along with tls session tickets) - T245616

Maintenance_bot removed a project: Patch-For-Review.Mar 10 2020, 4:10 PM

Change 579262 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm3

https://gerrit.wikimedia.org/r/579262

gerritbot added a project: Patch-For-Review.Mar 12 2020, 1:17 PM

Change 579262 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm3

https://gerrit.wikimedia.org/r/579262

Maintenance_bot removed a project: Patch-For-Review.Mar 12 2020, 3:10 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-13T10:09:06Z] <vgutierrez> upload trafficserver 8.0.6-1wm3 to apt.wm.o (buster) - T245616

Change 580872 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix session_ticket_number config name

https://gerrit.wikimedia.org/r/580872

Change 580872 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix session_ticket_number config name

https://gerrit.wikimedia.org/r/580872

Maintenance_bot removed a project: Patch-For-Review.Mar 18 2020, 10:10 AM

Change 580951 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo

https://gerrit.wikimedia.org/r/580951

gerritbot added a project: Patch-For-Review.Mar 18 2020, 2:24 PM

Change 580951 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo

https://gerrit.wikimedia.org/r/580951

Mentioned in SAL (#wikimedia-operations) [2020-03-18T14:41:32Z] <vgutierrez> disable TLS session tickets in ulsfo - T245616 T170567

Stashbot mentioned this in T170567: Support TLSv1.3.Mar 18 2020, 2:41 PM

Maintenance_bot removed a project: Patch-For-Review.Mar 18 2020, 3:10 PM

Change 583715 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm4

https://gerrit.wikimedia.org/r/583715

gerritbot added a project: Patch-For-Review.Mar 26 2020, 6:05 PM

Change 583715 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm4

https://gerrit.wikimedia.org/r/583715

Maintenance_bot removed a project: Patch-For-Review.Mar 27 2020, 9:10 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-27T10:04:31Z] <vgutierrez> upload trafficserver 8.0.6-1wm4 to apt.wm.o (buster) - T245616 T170567

Change 583948 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Re-enable TLS tickets in ulsfo

https://gerrit.wikimedia.org/r/583948

gerritbot added a project: Patch-For-Review.Mar 27 2020, 1:35 PM

Change 583948 merged by Vgutierrez:
[operations/puppet@production] ATS: Re-enable TLS tickets in ulsfo

https://gerrit.wikimedia.org/r/583948

Mentioned in SAL (#wikimedia-operations) [2020-03-30T04:32:45Z] <vgutierrez> upgrade ATS to version 8.0.6-1wm4 on ulsfo - T245616

Mentioned in SAL (#wikimedia-operations) [2020-03-30T04:55:10Z] <vgutierrez> Enable TLS Session tickets in ulsfo - T245616

Maintenance_bot removed a project: Patch-For-Review.Mar 30 2020, 5:10 AM

Change 584877 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable TLS Session tickets in eqsin

https://gerrit.wikimedia.org/r/584877

gerritbot added a project: Patch-For-Review.Mar 31 2020, 7:38 AM

Change 584877 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable TLS Session tickets in eqsin

https://gerrit.wikimedia.org/r/584877

Mentioned in SAL (#wikimedia-operations) [2020-03-31T13:31:02Z] <vgutierrez> Enable TLS Session tickets in eqsin - T245616

Maintenance_bot removed a project: Patch-For-Review.Mar 31 2020, 2:11 PM

Vgutierrez closed this task as Resolved.Apr 2 2020, 7:33 AM

Vgutierrez mentioned this in T245502: ATS TLS session cache efficiency reduced in TLSv1.3.

Change 585426 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams

https://gerrit.wikimedia.org/r/585426

gerritbot added a project: Patch-For-Review.Apr 2 2020, 7:35 AM

Change 585426 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams

https://gerrit.wikimedia.org/r/585426

Mentioned in SAL (#wikimedia-operations) [2020-04-02T08:21:49Z] <vgutierrez> Enable TLS Session tickets in esams - T245616

Maintenance_bot removed a project: Patch-For-Review.Apr 2 2020, 9:11 AM

Change 585492 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw

https://gerrit.wikimedia.org/r/585492

gerritbot added a project: Patch-For-Review.Apr 2 2020, 1:37 PM

Change 585492 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw

https://gerrit.wikimedia.org/r/585492

Mentioned in SAL (#wikimedia-operations) [2020-04-02T14:33:50Z] <vgutierrez> Enable TLS Session tickets in codfw - T245616

Maintenance_bot removed a project: Patch-For-Review.Apr 2 2020, 3:10 PM

Change 585697 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster

https://gerrit.wikimedia.org/r/585697

gerritbot added a project: Patch-For-Review.Apr 3 2020, 8:27 AM

Change 585697 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster

https://gerrit.wikimedia.org/r/585697

Mentioned in SAL (#wikimedia-operations) [2020-04-06T05:16:21Z] <vgutierrez> Enable TLS Session Tickets on eqiad - T245616

Maintenance_bot removed a project: Patch-For-Review.Apr 6 2020, 6:10 AM

• Gilles mentioned this in T238494: 15% response start regression as of 2019-11-11 (Varnish->ATS).Apr 6 2020, 10:08 AM

Provide a simple and automated SSL Ticket key generation system for ATSClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Provide a simple and automated SSL Ticket key generation system for ATS
Closed, ResolvedPublic
Actions

Related Objects
Search...