Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: Support for session ticket key rotation #9994

Closed
titanous opened this issue Feb 25, 2015 · 4 comments
Closed

crypto/tls: Support for session ticket key rotation #9994

titanous opened this issue Feb 25, 2015 · 4 comments
Assignees
Milestone

Comments

@titanous
Copy link
Member

@titanous titanous commented Feb 25, 2015

In order to rotate session ticket keys effectively, it is useful for the TLS server implementation to support accepting connections with tickets encrypted with previous key(s). Currently the server supports a single session ticket key, and it is not easy to rotate the key. Also, the server cannot be configured to accept tickets encrypted with old keys.

One solution to this is to add two optional fields to *tls.Config:

// GetSessionTicketKey returns the current session ticket key.
GetSessionTicketKey func(*ClientHelloInfo) ([32]byte, error)

// AllowPreviousSessionTicketKeys specifies the number of previous
// unique session ticket keys retrieved from GetSessionTicketKey that
// will be used to accept session tickets.
AllowPreviousSessionTicketKeys int

This way the server could cache n previous keys and when a session ticket using an old key is encountered it would send a new session ticket encrypted with the current key.

This is certainly not the only approach that could be taken, just a strawman proposal to start discussion.

/cc @agl

@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Apr 10, 2015

Adam, thoughts?

@rsc rsc added this to the Go1.5Maybe milestone Apr 10, 2015
@agl agl self-assigned this Apr 12, 2015
@agl agl modified the milestones: Unplanned, Go1.5Maybe Apr 12, 2015
@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Apr 12, 2015

This is a reasonable request for larger sites. However, I don't expect that it'll make 1.5.

Since this will require a lock in the Config structure, I initially think that it might be best supported by a function: tls.Config.SetSessionTicketKeys([][32]byte) where the first element in the slice is the 'current' key and all the others are candidates.

@titanous

This comment has been minimized.

Copy link
Member Author

@titanous titanous commented Apr 18, 2015

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Apr 25, 2015

CL https://golang.org/cl/9072 mentions this issue.

@agl agl closed this in bff1417 Apr 26, 2015
@mikioh mikioh modified the milestones: Go1.5, Unplanned May 15, 2015
@golang golang locked and limited conversation to collaborators Aug 8, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
This change adds a new method to tls.Config, SetSessionTicketKeys, that
changes the key used to encrypt session tickets while the server is
running. Additional keys may be provided that will be used to maintain
continuity while rotating keys. If a ticket encrypted with an old key is
provided by the client, the server will resume the session and provide
the client with a ticket encrypted using the new key.

Fixes golang#9994

Change-Id: Idbc16b10ff39616109a51ed39a6fa208faad5b4e
Reviewed-on: https://go-review.googlesource.com/9072
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
Reviewed-by: Adam Langley <agl@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
This change adds a new method to tls.Config, SetSessionTicketKeys, that
changes the key used to encrypt session tickets while the server is
running. Additional keys may be provided that will be used to maintain
continuity while rotating keys. If a ticket encrypted with an old key is
provided by the client, the server will resume the session and provide
the client with a ticket encrypted using the new key.

Fixes golang#9994

Change-Id: Idbc16b10ff39616109a51ed39a6fa208faad5b4e
Reviewed-on: https://go-review.googlesource.com/9072
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
Reviewed-by: Adam Langley <agl@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.