Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traffic Vault: Fix reencrypt utility to uniquely reencrypt ssl keys #7159

Merged
merged 2 commits into from Oct 25, 2022
Merged

Traffic Vault: Fix reencrypt utility to uniquely reencrypt ssl keys #7159

merged 2 commits into from Oct 25, 2022

Conversation

tcfdev
Copy link
Collaborator

@tcfdev tcfdev commented Oct 25, 2022
edited

Closes: #7158

A Traffic Vault utility called reencrypt allows for the ability to take previously encrypted values in the Traffic Vault DB and apply a new AES key for encryption. However, there was a bug that resulted in the "last" ssl key (misnomer) pulled from the DB during encryption would overwrite and wipe all other versions of ssl keys. This PR addresses said bug.

Which Traffic Control components are affected by this PR?

  • Traffic Vault (techinically a support utility call reencrypt)

What is the best way to verify this PR?

Previously existing "tests" should continue to work.

Manually verify:

  1. Obtain a dump of an existing DB with the AES key that was initially used to encrypt the data (Or create a DB with sufficient data and use an AES key to encrypt said data).
  2. Create a new, different AES key from the original.
  3. Restore the DB into a test/verification DB location.
  4. Run the reencrypt utility with the necessary connection info specified in the reencrypt.conf file, along with passing in the file path locations for the previous AES key as well as the new AES key.
  5. Observe that the data column in the sslkey table has been reencrypted AND unique values exist for each version under a particular Delivery Service.

If this is a bugfix, which Traffic Control versions contained the bug?

PR submission checklist

@mitchell852 mitchell852 added the Traffic Vault related to Traffic Vault label Oct 25, 2022
@ocket8888 ocket8888 added bug something isn't working as intended medium impact impacts a significant portion of a CDN, or has the potential to do so low difficulty the estimated level of effort to resolve this issue is low labels Oct 25, 2022
ocket8888
ocket8888 approved these changes Oct 25, 2022
View reviewed changes
Copy link
Contributor

@ocket8888 ocket8888 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appears to fix the bug

@ocket8888 ocket8888 merged commit 33b86c5 into apache:master Oct 25, 2022
@asf-ci asf-ci mentioned this pull request Nov 1, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ocket8888 ocket8888 ocket8888 approved these changes

Assignees
No one assigned
Labels
bug something isn't working as intended low difficulty the estimated level of effort to resolve this issue is low medium impact impacts a significant portion of a CDN, or has the potential to do so Traffic Vault related to Traffic Vault
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Traffic Vault: Reencrypt utility wipes different SSL Keys during update
3 participants
@tcfdev @ocket8888 @mitchell852