Session Ticket Rotation
Richard Fussenegger, BSc
richard at fussenegger.info
Fri Oct 10 21:09:05 UTC 2014
Hello and many thanks for your reply.
On 10/10/2014 10:57 PM, Yichun Zhang (agentzh) wrote:
> Hello!
>
> Fortunately this does not have to be in the nginx core :)
I came to the conclusion that this shouldn't even be in nginx core.
OpenSSL should be updated. Of course a few nginx changes would come with
that (exposing some configuration settings). There's more that's
problematic with session tickets in OpenSSL: only AES128-CBC-SHA256
while ignoring chosen cipher. Let's hope that some OpenSSL / C crack
will update that at some point in the future. Luckily we have now a few
forks and ReSSL might be just the project that brings us a real
interface to work against.
> We're using the ngx_lua module [1] to periodically update the session
> ticket keys from external shared data services (like memcached).
>
> To be more specific, we're using ngx_lua's init_worker_by_lua [2] to
> create a re-occurring timer (via ngx.timer.at [3]) and fetch a new
> ticket key from external data sources via the nonblocking
> lua-resty-memcached library [4] and add that into the existing queue
> used by OpenSSL via LuaJIT FFI [5].
>
> Also, we use the lua_shared_dict [6] to reduce traffic to the external
> data source online.
>
> No patches are needed for the nginx core :)
>
> In this "add-on" implementation, the ticket keys are also shared
> across all our machines.
>
> Best regards,
> -agentzh
>
> [1] https://github.com/openresty/lua-nginx-module
> [2] https://github.com/openresty/lua-nginx-module#init_worker_by_lua
> [3] https://github.com/openresty/lua-nginx-module#ngxtimerat
> [4] https://github.com/openresty/lua-resty-memcached
> [5] http://luajit.org/ext_ffi.html
> [6] https://github.com/openresty/lua-nginx-module#lua_shared_dict
I'm currently working on a solution that only relies on a POSIX
compatible shell interpreter without any additions to nginx. The only
requirement is version 1.5.7 (which you have as well).
https://github.com/Fleshgrinder/nginx-session-ticket-key-rotation
It's work in progress right now and will only be Debian / Ubuntu
compatible when it's finished. I'll also integrate syncing in clusters
and compatibility with other operating systems if I find the time.
@anyone If you have the time to review my work and approach, please do
so. I'd love feedback!
Regards Richard
PS: You should open source your solution. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141010/e156b0cd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141010/e156b0cd/attachment.bin>
More information about the nginx-devel
mailing list