Page MenuHomePhabricator

HTTPS RFC5077 session tickets encryption key rollovers
Closed, DuplicatePublic

Description

We should use nginx's newly-supported feature (plus scripts we should write) to perform staggered master encryption key rollovers for RFC 5077 session tickers.

Event Timeline

faidon created this task.Jan 13 2015, 3:01 PM
faidon raised the priority of this task from to High.
faidon updated the task description. (Show Details)
faidon added subscribers: Aklapper, faidon, mark, BBlack.
BBlack closed this task as Resolved.Feb 27 2015, 2:47 PM
BBlack claimed this task.

For the time being, we've decided to simply disable RFC5077 session tickets in the new jessie setup, as we're using client IP hashing for session id resumption, and it sidesteps the whole issue of the affect of RFC5077 on PFS.

As part of the change for this ( https://gerrit.wikimedia.org/r/#/c/189613/ ), we implemented a cronjob to roll over the keys in a simple manner on the legacy boxes (as tickets can't be disabled there), so closing this issue for now. We can raise a new issue if/when we decide to re-architect our scalability around RFC5077 mechanisms at a later date.

BBlack reopened this task as Open.Aug 7 2015, 1:42 PM

Re-opening this. Current thinking is we will eventually do this, and it's do-able with our current software stack. Just requires some engineering effort on secure distribution and synchronized rotation of a set of randomly-generated keys...

Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 7 2015, 1:43 PM
BBlack lowered the priority of this task from High to Medium.Aug 7 2015, 1:44 PM
BBlack edited projects, added Traffic; removed HTTPS-by-default.
BBlack set Security to None.
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:43 PM

We still haven't had time to work on doing this "right". Most likely the effort is better invested doing similar things on the TLSv1.3 side at this point, rather than trying to tack on RFC5077 for TLSv1.2.

BBlack closed this task as a duplicate of T170567: Support TLSv1.3.Oct 23 2017, 3:17 PM