Allow TLS sessionTicketKeys config #10284
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Allow specification of custom TLS session ticket keys.
Fixes #4550
Motivation
From the added docs:
This option allows you to specify a list of TLS Session Ticket Keys which store
the TLS connection state on the client and allow the TLS session resumption
with less overhead than re-establishing it from scratch. This is used in both
TLSv1.2 Session Tickets and TLSv1.3 PSK algorithms.
The use-case for this is 3-fold:
Keys on all servers and then a client can use it for lightweight session
re-establishment to any of the servers in the cluster. By default each
server will have its own random keys so a ticket valid for one server would
not be valid for the others.
keys are stored in memory, when Traefik restarts they will be lost. By
writing them to the config file they are persisted across restarts
retention periods are not customizable. You may wish to write a cronjob to
update the Traefik config file more or less frequently, with longer or
shorter retention periods.
If you use this option you are responsible for key rotation, which should occur
at least on a daily basis or Perfect Forward Secrecy is compromised. These keys
should be stored securely or your TLS sessions may be intercepted and
decrypted.
If not specified, the default golang crypto/tls algorithm is used which is to
keep 7 days of keys and rotate on a daily basis.
More
Additional Notes
Test like:
Restarting the server and running the second command again will currently show the first output (ie no
Reused
entry), but with the patch will show aReused
line.Tested with and without
-no_tls1_3
to test 1.2 and 1.3 as they use different methods.