Details
-
New Feature
-
Status: Closed
-
Normal
-
Resolution: Won't Fix
-
None
-
None
-
2
-
Server Jade 2016-04-06, Server Jade 2016-04-20
Description
By default, any SSL handshake negotiated in Jetty by trapperkeeper-webservices-jetty9 results in Jetty caching the SSL session and returning an SSL session id to the client for the client to use in resuming the session on a later connection. In some scenarios it may be desirable to not have the server cache SSL sessions, e.g., to protect the server from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.
In order to disable session caching, a new "caching" option could be exposed in the trapperkeeper-webservices-jetty9 configuration. For compatibility, it would probably be best to allow SSL sessions to be cached by default so that clients can take advantage of the performance benefits of renegotiation.
I believe the lower-level work in Jetty would just involve calling the setSessionCachingEnabled method on the SslContextFactory with a value of true or false, as desired. The setup with the factory is done from ssl-context-factory in jetty9_core.clj.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
SERVER-1256 Promote fix for TK-124 through puppet-server and into PE
-
- Closed
-
-
SERVER-218 Document options for SSL renegotiation w/ virtual ips
-
- Closed
-
-
SERVER-207 puppetserver does not handle ssl renegotiation to different puppetdb servers behind a vip
-
- Closed
-
-
-
- Closed
-
- links to
