mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Add "session-tickets" options to the "tls" clause

Browse Source 
This commit adds the ability to enable or disable stateless TLS
session resumption tickets (see RFC5077). Having this ability is
twofold.

Firstly, these tickets are encrypted by the server, and the algorithm
might be weaker than the algorithm negotiated during the TLS session
establishment (it is in general the case for TLSv1.2, but the generic
principle applies to TLSv1.3 as well, despite it having better ciphers
for session tickets). Thus, they might compromise Perfect Forward
Secrecy.

Secondly, disabling it might be necessary if the same TLS key/cert
pair is supposed to be used by multiple servers to achieve, e.g., load
balancing because the session ticket by default gets generated in
runtime, while to achieve successful session resumption ability, in
this case, would have required using a shared key.

The proper alternative to having the ability to disable stateless TLS
session resumption tickets is to implement a proper session tickets
key rollover mechanism so that key rotation might be performed
often (e.g. once an hour) to not compromise forward secrecy while
retaining the associated performance benefits. That is much more work,
though. On the other hand, having the ability to disable session
tickets allows having a deployable configuration right now in the
cases when either forward secrecy is wanted or sharing the TLS
key/cert pair between multiple servers is needed (or both).
This commit is contained in:
Artem Boldariev
2021-09-21 14:09:56 +03:00
parent 16c6e2be06
commit c759f25c7b
14 changed files with 56 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
bin/named/server.c
View File

@@ -11027,6 +11027,7 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
*ciphers = NULL;
bool tls_prefer_server_ciphers = false,
tls_prefer_server_ciphers_set = false;
bool tls_session_tickets = false, tls_session_tickets_set = false;
bool do_tls = false, no_tls = false, http = false;
ns_listenelt_t *delt = NULL;
uint32_t tls_protos = 0;
@@ -11052,6 +11053,7 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
const cfg_obj_t *tls_proto_list = NULL;
const cfg_obj_t *ciphers_obj = NULL;
const cfg_obj_t *prefer_server_ciphers_obj = NULL;
const cfg_obj_t *session_tickets_obj = NULL;
do_tls = true;
@@ -11109,6 +11111,14 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
prefer_server_ciphers_obj);
tls_prefer_server_ciphers_set = true;
}
if (cfg_map_get(tlsmap, "session-tickets",
&session_tickets_obj) == ISC_R_SUCCESS)
{
tls_session_tickets =
cfg_obj_asboolean(session_tickets_obj);
tls_session_tickets_set = true;
}
}
}
@@ -11120,6 +11130,8 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
.ciphers = ciphers,
.prefer_server_ciphers = tls_prefer_server_ciphers,
.prefer_server_ciphers_set = tls_prefer_server_ciphers_set,
.session_tickets = tls_session_tickets,
.session_tickets_set = tls_session_tickets_set
};
httpobj = cfg_tuple_get(ltup, "http");