Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-124

Provide option for disabling TLS/SSL session caching in Jetty webserver

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:
    • Sub-team:
    • Story Points:
      2
    • Sprint:
      Server Jade 2016-04-06, Server Jade 2016-04-20

      Description

      By default, any SSL handshake negotiated in Jetty by trapperkeeper-webservices-jetty9 results in Jetty caching the SSL session and returning an SSL session id to the client for the client to use in resuming the session on a later connection. In some scenarios it may be desirable to not have the server cache SSL sessions, e.g., to protect the server from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.

      In order to disable session caching, a new "caching" option could be exposed in the trapperkeeper-webservices-jetty9 configuration. For compatibility, it would probably be best to allow SSL sessions to be cached by default so that clients can take advantage of the performance benefits of renegotiation.

      I believe the lower-level work in Jetty would just involve calling the setSessionCachingEnabled method on the SslContextFactory with a value of true or false, as desired. The setup with the factory is done from ssl-context-factory in jetty9_core.clj.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  matthaus Past Haus
                  Reporter:
                  jeremy.barlow Jeremy Barlow
                  QA Contact:
                  Erik Dasher
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  10 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: