Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-216

Allow SSL session use to be disabled for client connections



    • New Feature
    • Status: Closed
    • Normal
    • Resolution: Won't Fix
    • SERVER 0.4.0
    • None
    • None
    • None


      By default, any SSL handshake completed by an Puppet Server HTTP client request where the server returns an SSL session id results in the client attempting to resume the SSL session for a request made on a new connection. In some scenarios it may be desirable to not have the client try to resume SSL sessions, e.g., to protect the client from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.

      In order to disable session caching, a new "allow session creation" http-client option could be exposed alongside the other SSL-related options that Puppet Server uses, ssl-protocols and cipher-suites. For compatibility, it would probably be best to allow SSL sessions to be created/resumed by default so that clients can take advantage of the performance benefits of renegotiation.

      The new option would need to be read by the Ruby layer http_client.rb code in Puppet Server in the process of setting up a request and passed through to the underlying clj-http-client library. This work would be dependent upon a new feature in the clj-http-client library which would expose the setting. The clj-http-client work is documented in TK-125.


        Issue Links



              archana.sridhar Archana Sridhar
              jeremy.barlow Jeremy Barlow
              Erik Dasher Erik Dasher
              0 Vote for this issue
              10 Start watching this issue



                Zendesk Support