Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-216

Allow SSL session use to be disabled for client connections



    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: SERVER 0.4.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:
    • Sub-team:


      By default, any SSL handshake completed by an Puppet Server HTTP client request where the server returns an SSL session id results in the client attempting to resume the SSL session for a request made on a new connection. In some scenarios it may be desirable to not have the client try to resume SSL sessions, e.g., to protect the client from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.

      In order to disable session caching, a new "allow session creation" http-client option could be exposed alongside the other SSL-related options that Puppet Server uses, ssl-protocols and cipher-suites. For compatibility, it would probably be best to allow SSL sessions to be created/resumed by default so that clients can take advantage of the performance benefits of renegotiation.

      The new option would need to be read by the Ruby layer http_client.rb code in Puppet Server in the process of setting up a request and passed through to the underlying clj-http-client library. This work would be dependent upon a new feature in the clj-http-client library which would expose the setting. The clj-http-client work is documented in TK-125.


          Issue Links



              archana.sridhar Archana Sridhar
              jeremy.barlow Jeremy Barlow
              QA Contact:
              Erik Dasher Erik Dasher
              0 Vote for this issue
              10 Start watching this issue



                  Zendesk Support