Uploaded image for project: 'Trapperkeeper (moved to puppet.atlassian.net)'
  1. Trapperkeeper (moved to puppet.atlassian.net)
  2. TK-124

Provide option for disabling TLS/SSL session caching in Jetty webserver



    • New Feature
    • Status: Closed
    • Normal
    • Resolution: Won't Fix
    • None
    • None
    • TrapperKeeper
    • 2
    • Server Jade 2016-04-06, Server Jade 2016-04-20


      By default, any SSL handshake negotiated in Jetty by trapperkeeper-webservices-jetty9 results in Jetty caching the SSL session and returning an SSL session id to the client for the client to use in resuming the session on a later connection. In some scenarios it may be desirable to not have the server cache SSL sessions, e.g., to protect the server from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.

      In order to disable session caching, a new "caching" option could be exposed in the trapperkeeper-webservices-jetty9 configuration. For compatibility, it would probably be best to allow SSL sessions to be cached by default so that clients can take advantage of the performance benefits of renegotiation.

      I believe the lower-level work in Jetty would just involve calling the setSessionCachingEnabled method on the SslContextFactory with a value of true or false, as desired. The setup with the factory is done from ssl-context-factory in jetty9_core.clj.


        Issue Links



              matthaus Past Haus
              jeremy.barlow Jeremy Barlow
              Erik Dasher Erik Dasher
              0 Vote for this issue
              10 Start watching this issue



                Zendesk Support