Page MenuHomePhabricator

Provide a simple and automated SSL Ticket key generation system for ATS
Closed, ResolvedPublic

Description

Switching from the old session cache based on Session IDs to TLS Tickets requires an automated way of rotating ticket keys every X hours. The simplest version doesn't require sync support between cp nodes of the same cluster/DC. It just should be able to maintain N versions of the key on a tmpfs backed file and ensure that the file is populated before ats-tls is started after a system reboot

Event Timeline

Vgutierrez triaged this task as Medium priority.Feb 19 2020, 1:22 PM
Vgutierrez created this task.
Vgutierrez moved this task from Triage to TLS on the Traffic board.

Change 573526 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] systemd: Provide support for multiple intervals on systemd::job::timer

https://gerrit.wikimedia.org/r/573526

Change 573526 merged by Vgutierrez:
[operations/puppet@production] systemd: Support multiple intervals on job::timer

https://gerrit.wikimedia.org/r/573526

Change 573977 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Support TLS Session tickets

https://gerrit.wikimedia.org/r/573977

Change 577569 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm2

https://gerrit.wikimedia.org/r/577569

Mentioned in SAL (#wikimedia-operations) [2020-03-09T10:58:40Z] <vgutierrez> upload pystemd 0.7.0-1wm1 to apt.wm.o (buster) - T245616

Change 573977 merged by Vgutierrez:
[operations/puppet@production] ATS: Support TLS Session tickets

https://gerrit.wikimedia.org/r/573977

Change 578327 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Turn on TLS Session tickets on ulsfo

https://gerrit.wikimedia.org/r/578327

Change 577569 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm2

https://gerrit.wikimedia.org/r/577569

Mentioned in SAL (#wikimedia-operations) [2020-03-10T11:56:10Z] <vgutierrez> upload trafficserver 8.0.6-1wm2 to apt.wm.o (buster) - T245616

Mentioned in SAL (#wikimedia-operations) [2020-03-10T13:16:39Z] <vgutierrez> upgrade ATS on ulsfo to 8.0.6-1wm2 - T245616

Change 578327 merged by Vgutierrez:
[operations/puppet@production] ATS: Turn on TLS Session tickets on ulsfo

https://gerrit.wikimedia.org/r/578327

Mentioned in SAL (#wikimedia-operations) [2020-03-10T14:00:33Z] <vgutierrez> reboot cp4026 - T245616

Mentioned in SAL (#wikimedia-operations) [2020-03-10T14:12:38Z] <vgutierrez> Switch to TLS session tickets on ulsfo - T245616

Change 578544 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Re-enable session ID based cache on ulsfo

https://gerrit.wikimedia.org/r/578544

Change 578544 merged by Vgutierrez:
[operations/puppet@production] ATS: Re-enable session ID based cache on ulsfo

https://gerrit.wikimedia.org/r/578544

Mentioned in SAL (#wikimedia-operations) [2020-03-10T15:48:21Z] <vgutierrez> re-enabling session id based caching on ulsfo (along with tls session tickets) - T245616

Change 579262 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm3

https://gerrit.wikimedia.org/r/579262

Change 579262 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm3

https://gerrit.wikimedia.org/r/579262

Mentioned in SAL (#wikimedia-operations) [2020-03-13T10:09:06Z] <vgutierrez> upload trafficserver 8.0.6-1wm3 to apt.wm.o (buster) - T245616

Change 580872 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix session_ticket_number config name

https://gerrit.wikimedia.org/r/580872

Change 580872 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix session_ticket_number config name

https://gerrit.wikimedia.org/r/580872

Change 580951 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo

https://gerrit.wikimedia.org/r/580951

Change 580951 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable TLS Session tickets in ulsfo

https://gerrit.wikimedia.org/r/580951

Mentioned in SAL (#wikimedia-operations) [2020-03-18T14:41:32Z] <vgutierrez> disable TLS session tickets in ulsfo - T245616 T170567

Change 583715 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.6-1wm4

https://gerrit.wikimedia.org/r/583715

Change 583715 merged by Vgutierrez:
[operations/debs/trafficserver@master] Release 8.0.6-1wm4

https://gerrit.wikimedia.org/r/583715

Mentioned in SAL (#wikimedia-operations) [2020-03-27T10:04:31Z] <vgutierrez> upload trafficserver 8.0.6-1wm4 to apt.wm.o (buster) - T245616 T170567

Change 583948 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Re-enable TLS tickets in ulsfo

https://gerrit.wikimedia.org/r/583948

Change 583948 merged by Vgutierrez:
[operations/puppet@production] ATS: Re-enable TLS tickets in ulsfo

https://gerrit.wikimedia.org/r/583948

Mentioned in SAL (#wikimedia-operations) [2020-03-30T04:32:45Z] <vgutierrez> upgrade ATS to version 8.0.6-1wm4 on ulsfo - T245616

Mentioned in SAL (#wikimedia-operations) [2020-03-30T04:55:10Z] <vgutierrez> Enable TLS Session tickets in ulsfo - T245616

Change 584877 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable TLS Session tickets in eqsin

https://gerrit.wikimedia.org/r/584877

Change 584877 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable TLS Session tickets in eqsin

https://gerrit.wikimedia.org/r/584877

Mentioned in SAL (#wikimedia-operations) [2020-03-31T13:31:02Z] <vgutierrez> Enable TLS Session tickets in eqsin - T245616

Change 585426 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams

https://gerrit.wikimedia.org/r/585426

Change 585426 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@esams

https://gerrit.wikimedia.org/r/585426

Mentioned in SAL (#wikimedia-operations) [2020-04-02T08:21:49Z] <vgutierrez> Enable TLS Session tickets in esams - T245616

Change 585492 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw

https://gerrit.wikimedia.org/r/585492

Change 585492 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 in upload@codfw

https://gerrit.wikimedia.org/r/585492

Mentioned in SAL (#wikimedia-operations) [2020-04-02T14:33:50Z] <vgutierrez> Enable TLS Session tickets in codfw - T245616

Change 585697 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster

https://gerrit.wikimedia.org/r/585697

Change 585697 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable inbound TLSv1.3 on the upload cluster

https://gerrit.wikimedia.org/r/585697

Mentioned in SAL (#wikimedia-operations) [2020-04-06T05:16:21Z] <vgutierrez> Enable TLS Session Tickets on eqiad - T245616