Page MenuHomePhabricator
Create Task
Maniphest T86671

HTTPS RFC5077 session tickets encryption key rollovers
Closed, DuplicatePublic
Actions

Description

We should use nginx's newly-supported feature (plus scripts we should write) to perform staggered master encryption key rollovers for RFC 5077 session tickers.

Related Objects
Search...

Event Timeline

faidon created this task.Jan 13 2015, 3:01 PM
faidon raised the priority of this task from to High.
faidon updated the task description. (Show Details)
faidon added projects: HTTPS-by-default, ops-core, HTTPS.
faidon added a subtask: T86648: Upgrade all HTTP frontends to Debian jessie.
faidon added subscribers: Aklapper, faidon, mark, BBlack.
Liuxinyu970226 subscribed.Feb 3 2015, 5:31 AM
BBlack closed this task as Resolved.Feb 27 2015, 2:47 PM
BBlack claimed this task.

For the time being, we've decided to simply disable RFC5077 session tickets in the new jessie setup, as we're using client IP hashing for session id resumption, and it sidesteps the whole issue of the affect of RFC5077 on PFS.

As part of the change for this ( https://gerrit.wikimedia.org/r/#/c/189613/ ), we implemented a cronjob to roll over the keys in a simple manner on the legacy boxes (as tickets can't be disabled there), so closing this issue for now. We can raise a new issue if/when we decide to re-architect our scalability around RFC5077 mechanisms at a later date.

Liuxinyu970226 unsubscribed.Feb 28 2015, 1:31 AM
BBlack closed subtask T86648: Upgrade all HTTP frontends to Debian jessie as Resolved.Mar 13 2015, 7:24 PM
BBlack reopened this task as Open.Aug 7 2015, 1:42 PM
BBlack mentioned this in T86666: HTTPS performance tuning.

Re-opening this. Current thinking is we will eventually do this, and it's do-able with our current software stack. Just requires some engineering effort on secure distribution and synchronized rotation of a set of randomly-generated keys...

Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 7 2015, 1:43 PM
BBlack lowered the priority of this task from High to Medium.Aug 7 2015, 1:44 PM
BBlack edited projects, added Traffic; removed HTTPS-by-default.
BBlack set Security to None.
BBlack moved this task from Backlog to TLS on the Traffic board.Sep 30 2016, 1:43 PM
BBlack added a comment.Oct 23 2017, 3:17 PM

We still haven't had time to work on doing this "right". Most likely the effort is better invested doing similar things on the TLSv1.3 side at this point, rather than trying to tack on RFC5077 for TLSv1.2.

BBlack closed this task as a duplicate of T170567: Support TLSv1.3.Oct 23 2017, 3:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL