Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
TLS session ticket extension not working in cluster #5871
The current implementation of TLS in node prevents resumption of TLS sessions via TLS session ticket extension when the application is running in a cluster.
The reason is that
/* Setup RFC4507 ticket keys */ if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) ret->options |= SSL_OP_NO_TICKET;
To fix the issue, all workers must initialize openssl with the same key.
unsigned char keys; /* TODO obtain a sequence of random 48 bytes shared by all workers */ /* Tell OpenSSL to use those keys */ SSL_CTX_set_tlsext_ticket_keys(ctx, keys, sizeof(keys));
A simple solution comes to my mind: we could generate the keys in the master process and distribute it to all workers. Either on
See this article  for more information and possible caveats.
Can we at least modify the TLS server in v0.10 so that it disables TLS session tickets extensions when running in a cluster worker?
Otherwise I don't see any decent workaround for the problem (I don't count downgrading the server to SSLv3 or forcing your Chrome/Firefox users to not use tickets as solutions.)
EDIT: Disabling session tickets in workers will also remove most of the slowdown caused by #5872.
Cool, I didn't know that option.
I discussed this with Ben on IRC and disabling SSL session tickets extension is probably not a good idea. The cluster in v0.10 is not round-robin, so there is a very high chance that most of your connections will be handled by the same worker.