Add option to configure TLS session ticket keys

[SISheogorath]

Do you want to request a feature or report a bug?

Feature

What did you expect to see?

Traefik uses TLS session tickets, those are TLS parameter, encrypted by a server-side key, that are send to the server in order to do session resumption and this way speed up the initial handshake.

The problem: As soon as you run more than one instance you need to synchronize those keys, otherwise the tickets become useless. So I was looking for a way to set them. The documentation, doesn't mention it, and searching for the golang-function to set them, brings up empty results for Traefik.

I expected some kind of config parameter in the TLS config to configure one (or even better multiple) of those keys, to run TLS with full steam.

[jsnider2]

It looks like https://golang.org/pkg/crypto/tls/#Config.SetSessionTicketKeys is the right place. By default Go rotates these, new key daily, accepting older keys for seven days. I don't see anything setting them in tlsmanager.go so I assume it is using that default behavior which is fine for a single instance. Since they are in memory they are lost on a restart but by design that happens rarely.

You'd want to replicate that rotation scheme in whatever setup you have and they should be treated similarly to certificates. In the Kubernetes IngressRoute provider I would expect to see a setting in TLS Options that refers to a Secret. In the file provider I would expect it would refer to an external file. The contents could be newline separated hex encoded 32 byte keys. Traefik would have to watch for changes to that Secret/file/whatever and make an array of byte arrays to call SetSessionTicketKeys. Actually performing the key generation and rotation I would expect to be left as an exercise for the admin.

[danmx]

I think a storage backend for those keys should be programmable. K8s is only one of the environments where Traefik can be deployed.

It could be an extension to existing dynamic configuration.

[nodesocket]

Is session cache supported? I know in NGINX this is implemented using:

ssl_session_cache shared:SSL:64m;
ssl_session_timeout 60m;
ssl_session_tickets off;

[SISheogorath]

As far as I know, no. Traefik does not support session storage as replacement for session tickets. At least the documentation doesn't mention any way to configure it and an ssllabs analysis mentioned that session resumption by session ID is not supported.

[lordraiden]

https://crashtest-security.com/harden-tls-session-resumption/

[mzealey]

This would be useful for us. haproxy supports a TLS ticket keys file (https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#5.1-tls-ticket-keys) whereby you can append keys in order to keep and rotate as much as you would like.