Details
-
New Feature
-
Status: Closed
-
Normal
-
Resolution: Won't Fix
-
SERVER 0.4.0
-
None
-
None
-
None
Description
By default, any SSL handshake completed by an Puppet Server HTTP client request where the server returns an SSL session id results in the client attempting to resume the SSL session for a request made on a new connection. In some scenarios it may be desirable to not have the client try to resume SSL sessions, e.g., to protect the client from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.
In order to disable session caching, a new "allow session creation" http-client option could be exposed alongside the other SSL-related options that Puppet Server uses, ssl-protocols and cipher-suites. For compatibility, it would probably be best to allow SSL sessions to be created/resumed by default so that clients can take advantage of the performance benefits of renegotiation.
The new option would need to be read by the Ruby layer http_client.rb code in Puppet Server in the process of setting up a request and passed through to the underlying clj-http-client library. This work would be dependent upon a new feature in the clj-http-client library which would expose the setting. The clj-http-client work is documented in TK-125.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
SERVER-1256 Promote fix for TK-124 through puppet-server and into PE
-
- Closed
-
-
SERVER-218 Document options for SSL renegotiation w/ virtual ips
-
- Closed
-
-
SERVER-207 puppetserver does not handle ssl renegotiation to different puppetdb servers behind a vip
-
- Closed
-
-
-
- Closed
-
- mentioned in
-
Page Loading...
