Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial server-side session ticket support #35

Merged
merged 5 commits into from
Jun 27, 2024
Merged

Initial server-side session ticket support #35

merged 5 commits into from
Jun 27, 2024

Conversation

cpu
Copy link
Member

@cpu cpu commented Jun 26, 2024
edited
Loading

This branch starts to sketch out initial server-side support for TLS session tickets. We take the easy route for now and manage this opaquely internal to Rustls using the aws-lc-rs implementation of an AEAD ticketer/ticket switcher.

We offer the ability for OpenSSL API users to disable ticket support (either with SSL_set_options() and SSL_OP_NO_TICKET, or with SSL_CONF_cmd using -no_tickets or Options -SessionTicket) and to control the number of session tickets (defaulting to 2 to match OpenSSL default, customizable with SSL_CTX_set_num_tickets/SSL_set_num_tickets).

We don't offer more fine grain control over generating/encrypting/decrypting tickets and instead stub SSL_CTX_set_tlsext_ticket_key_cb and SSL_CTX_set_tlsext_ticket_key_evp_cb.

Resolves #30

@cpu cpu self-assigned this Jun 26, 2024
@cpu cpu mentioned this pull request Jun 26, 2024
Closed
@cpu cpu force-pushed the cpu-session-tickets branch from 2fe9620 to fae2abc Compare June 27, 2024 14:01
cpu added 3 commits June 27, 2024 10:02
@cpu
lib: configure ticketer by default
909c595 
Unless `SSL_OP_NO_TICKET` has been set in the `raw_options` we should
configure a ticketer in the `ServerConfig` constructed by
`Ssl::init_server_conn`.

The nginx test server configurations are updated to all disable session
tickets. For the no resumption case, this is what we want explicitly.
For the existing resumption tests this is necessary to test the stateful
session resumption. A new configuration that enables session tickets is
added to test that resumption method. The `nginx` runner test is updated
to test this new configuration works as expected w/ a `curl` client.
@cpu
implement SSL_*_(get|set)_num_tickets
95ccb98 
Some simple coverage is added to `server.c`
@cpu
conf: implement -no_ticket cmd
4463576
@cpu cpu force-pushed the cpu-session-tickets branch from fae2abc to dbea8c0 Compare June 27, 2024 14:02
@cpu
Copy link
Member Author

cpu commented Jun 27, 2024
edited
Loading

The miri task is unhappy with the invocation of the aws_lc_rs ticketer constructor: "can't call foreign function aws_lc_0_15_0_RAND_bytes on OS linux"

I thought I might be able to add a [no_mangle] stub for this in miri.rs but haven't had luck. I notice with closer examination the CI failure output indicates the symbol as �aws_lc_0_15_0_RAND_bytes - that first bit of sort-of-mojibake-looking-crap seems to be a U+0001. I'm not sure why that's there, or if it has any implication for why I can't export a matching symbol name (I tried both RAND_bytes and aws_lc_0_15_0_RAND_bytes with no change in output). In any case I worked around this for now by just not initializing a ticketer for the case where cfg!(miri) is set.

@cpu
Copy link
Member Author

cpu commented Jun 27, 2024

I'm either misunderstanding the SSL_CONF_cmd(cctx, "Options", "SessionTicket") semantics

This appears to be the case. I was only setting SSL_CONF_FLAG_FILE on the SSL_CONF_CTX but the 2nd level logic that's handling the SessionTicket options flag value in particular seems smart enough to know it requires SSL_CONF_FLAG_SERVER and returns 0 otherwise - I'll make some adjustments.

@cpu cpu force-pushed the cpu-session-tickets branch from dbea8c0 to 0e434a2 Compare June 27, 2024 15:28
cpu added 2 commits June 27, 2024 11:31
@cpu
conf: implement Options SessionTicket/-SessionTicket cmd
87abc8b
@cpu
stub set tls ext ticket callbacks
8399966 
The `SSL_CTX_set_tlsext_ticket_key_cb` and
`SSL_CTX_set_tlsext_ticket_key_evp_cb` API functions can be used to set
up callbacks for managing TLS session tickets. Implementing this
properly will be challenging as they take `EVP_CIPHER_CTX` and
`EVP_MAC_CTX` arguments and expect the caller to do a lot of the
heavy-lifting.

For now let's stub it and see how far we can get by just opaquely
handling TLS session tickets internal to Rustls w/ our own ticketer.
@cpu cpu force-pushed the cpu-session-tickets branch from 0e434a2 to 8399966 Compare June 27, 2024 15:31
@cpu cpu marked this pull request as ready for review June 27, 2024 15:36
@cpu
Copy link
Member Author

cpu commented Jun 27, 2024

I think this is ready for review now.

@cpu cpu changed the title WIP: Initial server-side session ticket support Initial server-side session ticket support Jun 27, 2024
ctz
ctz approved these changes Jun 27, 2024
View reviewed changes
rustls-libssl/tests/config.c Show resolved Hide resolved
@cpu cpu merged commit de4eb6e into rustls:main Jun 27, 2024
14 checks passed
@cpu cpu deleted the cpu-session-tickets branch June 27, 2024 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctz ctz ctz approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate nginx 1.24.0 session resumption
2 participants
@cpu @ctz