Details
-
New Feature
-
Status: Closed
-
Normal
-
Resolution: Won't Fix
-
None
-
None
-
Normal
-
1 - 1-5% of Customers
-
3 - Serious
-
4 - $$$$$
-
Description
By default, any SSL handshake completed by an clj-http-client request where the server returns an SSL session id results in the client attempting to resume the SSL session for a request made on a new connection. In some scenarios it may be desirable to not have the client try to resume SSL sessions, e.g., to protect the client from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.
In order to disable session caching, a new "allow session creation" option could be exposed as a "client option" alongside the other SSL-related options. For compatibility, it would probably be best to allow SSL sessions to be created/resumed by default so that clients can take advantage of the performance benefits of renegotiation.
I'm not sure of the best way to do this. In async.clj, there is some code which sets up desired protocols and ciphers via an SSLIOSessionStrategy. If clj-http-client were to derive a class from SSLIOSessionStrategy which provides an implementation for the protected initializeEngine method, setEnableSessionCreation could be called with true or false, as desired, on the SSLEngine parameter supplied to the method. I haven't tried doing this yet, so not sure if this would actually work.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
SERVER-1256 Promote fix for TK-124 through puppet-server and into PE
-
- Closed
-
-
SERVER-218 Document options for SSL renegotiation w/ virtual ips
-
- Closed
-
-
SERVER-207 puppetserver does not handle ssl renegotiation to different puppetdb servers behind a vip
-
- Closed
-
-
-
- Closed
-
