Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traffic Vault: Reencrypt utility wipes different SSL Keys during update #7158

Closed
tcfdev opened this issue Oct 25, 2022 · 0 comments · Fixed by #7159
Closed

Traffic Vault: Reencrypt utility wipes different SSL Keys during update #7158

tcfdev opened this issue Oct 25, 2022 · 0 comments · Fixed by #7159
Labels
bug something isn't working as intended low difficulty the estimated level of effort to resolve this issue is low medium impact impacts a significant portion of a CDN, or has the potential to do so Traffic Vault related to Traffic Vault

Comments

@tcfdev
Copy link
Collaborator

tcfdev commented Oct 25, 2022

This Bug Report affects these Traffic Control components:

  • Traffic Vault

Current behavior:

When running the reencrypt utility located at trafficcontrol/traffic_ops/app/db/reencrypt/reencrypt.go for SSL Keys (misnomer) all versions of the SSL Keys entries are replaced by a single entry multiple times. As an example, if a delivery service has multiple "versions" of SSL Key data information, all of them are reencrypted into a single data blob for every version.

Before running reencrypt:

DeliveryServiceXMLId Version Data
sampleDS1 latest \xa0f3d800...
sampleDS1 2 \x93c7b213...
sampleDS1 1 \x7418e801...
sampleDS2 latest \x48b1c9ff...
sampleDS2 3 \x88b7a3dd...
sampleDS2 2 \x1967c3b9...
sampleDS2 1 \x19f3a2bb...

After running reencrypt (notice the data columns have the same value for each DS, regardless of the version):

DeliveryServiceXMLId Version Data
sampleDS1 latest \xc4f1a823...
sampleDS1 2 \xc4f1a823...
sampleDS1 1 \xc4f1a823...
sampleDS2 latest \xaa45b8f1...
sampleDS2 3 \xaa45b8f1...
sampleDS2 2 \xaa45b8f1...
sampleDS2 1 \xaa45b8f1...

Expected behavior:

Each row should be uniquely decrypted and reencrypted resulting in a different correctly encrypted data for each delivery service ssl key version.

Steps to reproduce:

Execute the reencrypt utility on a Traffic Vault dump with a delivery service that has 3 or more entries (2 or more versions plus 'latest') for SSL Keys.
@tcfdev tcfdev added the bug something isn't working as intended label Oct 25, 2022
@tcfdev tcfdev mentioned this issue Oct 25, 2022
Merged
4 tasks
@mitchell852 mitchell852 added the Traffic Vault related to Traffic Vault label Oct 25, 2022
@ocket8888 ocket8888 added medium impact impacts a significant portion of a CDN, or has the potential to do so low difficulty the estimated level of effort to resolve this issue is low labels Oct 25, 2022
@asf-ci asf-ci mentioned this issue Nov 1, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug something isn't working as intended low difficulty the estimated level of effort to resolve this issue is low medium impact impacts a significant portion of a CDN, or has the potential to do so Traffic Vault related to Traffic Vault
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Traffic Vault: Fix reencrypt utility to uniquely reencrypt ssl keys tcfdev/trafficcontrol
3 participants
@mitchell852 @ocket8888 @tcfdev