ATS SSL UpdatesATS Summit Spring 2015
Susan Hinrichs
Leverage New Features of OpenSSL 1.0.2
Support multiple certificate chains TS-3131● Wei Sun addition
● You can specify multiple certificate files in ssl_multicert.config by comma separating file names in the ssl_cert_name and ssl_key_name fields● ssl_cert_name=ec-safelyfiled.pem,rsa-safelyfiled.pem ssl_key_name=ec-privkey.pem,rsa-privkey.pem
● May want to add some cross algorithm warning checks
Use the certificate callback for the TS API SNI callback TS-3319● No need for the SNI callback patch to 1.0.1
● The SNI plugin API is unchanged
OpenSSL 1.1
Can no longer reach into the internals● OpenSSL team added SSL_set_rbio for us
CRYPTO_set_id_callback is removed● Deprecated since 1.0
● Replaced with CRYPTO_THREADID_set_callback. Slightly different way of setting the thread id.
● If we change our lowest supported version of openssl to 1.0.0 we can run with only CRYPTO_THREADID versions of the calls
SSL Session Plugin API Proposal
LinkedIn and Yahoo developed Session sharing support in parallel● Performance problems observed with the default session table in openssl
● LinkedIn committed their solution back to open source
● No cross box communication
● Yahoo solution includes cross ATS communication for session sharing
Propose a plugin API to break out optional communication, analysis, etc.● http://network-geographics.com/ats/docs/ssl-session-api.en.html
SSL Session Plugin API
Add hook TS_SSL_SESSION_HOOKTriggers callback:
● int SSL_session_callback(TSCont contp, TSEvent event, void *edata)
● Where edata is a TSSslSessionId
● Event is one of
● TS_EVENT_SESSION_NEW – A new session has been added to the session table
● TS_EVENT_SESSION_REMOVE - A session has been removed from the session table
● TS_EVENT_SESSION_GET – A session has been requested. Could override decision
SSL Session Plugin API
New functions● TSSslSession TSSslSessionGet(TSSsslSessionId sessionid)
● TSReturnCode TSSslSessionCurrentSet(TSSslSessionId sessionId, TSSslSession preferredSession)
● TSReturnCode TSSslSessionSet(TSSslSessionId sessionId, TSSslSession addSession)
● TSReturnCode TSSslSessionRemove(TSSslSessionId sessionId)
SSL Session Plugin Use Case
Goal: Share sessions between ATS boxes sitting behind a load balancer
Set up communication with peer ATS boxes● Use your favorite messaging library
● Peers communicate
● New sessions and removed sessions
● Use TSSslSessionSet and TSSslSessionRemove to get local copy of session table up to date
Set handler on the TS_SSL_SESSION_HOOK● On remove, notify peers
● On new, notify peers
Question about session ticket key use case
In 5.x, you specify ticket key files per ssl_multicert.config entry● ssl_cert_name=safelyfiled.pem ssl_key_name=privkey.pem ssl_ticket_enabled=1
ticket_key_name=ticket.dat
Is there a major use case to specify different ssl session tickets for different origin servers?● Seems confusing
● Can be difficult to just turn off session tickets TS-3371
DHE Issues
DHE support added in 5.2.0● In addition to adding DHE algorithms in the cipher list, must set DH group
parameters via SSL_set_tmp_dh
● Added a dhparams to records.config
● If no dhparams is present, the patch would automatically use a 2048 bit DH group defined in RFC 5114
● No way to turn off DHE unless you remove the DHE algorithms from the cipher list
● Listed DHE algorithms were useless pre-5.2.0
● LinkedIn noticed an increase in SSL errors that went away in part when the 5.2.0 DH change was removed
DHE Future Changes
Changes beyond 5.2.1?● No, leave it be
● Add a “Default” option to dhparams config entry
● Other?
Addition of Symmetric SSL statistics
TS-3409● Change proxy.process.ssl.total_success_handshake_count to
total_success_handshake_count_in
● Added total_success_handshake_count_out
SSL Transparent Pass Through
Augment the Transparent Pass through logic to work on SSL as well as HTTP directly over TCP● TS-3292 – Lev Stipakov
● If tr-pass and first packet is not client hello, blind tunnel
Various bug fixes
SSL handshake buffer fix TS-3451● Brian Geffon tracking down increase in SSL errors moving from 5.0 to 5.2.0
SNI Callback fix TS-3272● Lev found CPU spin if SNI callback did not reenable
Certificate Loading Fixes● Remove spurious warnings on certificate load TS-3243
● Fail system start if certificates do not load TS-3376
Questions?