Presentation is loading. Please wait.

Presentation is loading. Please wait.

ATS SSL Updates ATS Summit Spring 2015 Susan Hinrichs.

Published byGillian McDowell Modified over 8 years ago

Similar presentations

Presentation on theme: "ATS SSL Updates ATS Summit Spring 2015 Susan Hinrichs."— Presentation transcript:

1 ATS SSL Updates ATS Summit Spring 2015 Susan Hinrichs

2 Leverage New Features of OpenSSL 1.0.2  Support multiple certificate chains TS-3131 ●Wei Sun addition ●You can specify multiple certificate files in ssl_multicert.config by comma separating file names in the ssl_cert_name and ssl_key_name fields ● ssl_cert_name=ec-safelyfiled.pem,rsa-safelyfiled.pem ssl_key_name=ec- privkey.pem,rsa-privkey.pem ●May want to add some cross algorithm warning checks  Use the certificate callback for the TS API SNI callback TS-3319 ●No need for the SNI callback patch to 1.0.1 ●The SNI plugin API is unchanged

3 OpenSSL 1.1  Can no longer reach into the internals ●OpenSSL team added SSL_set_rbio for us  CRYPTO_set_id_callback is removed ●Deprecated since 1.0 ●Replaced with CRYPTO_THREADID_set_callback. Slightly different way of setting the thread id. ●If we change our lowest supported version of openssl to 1.0.0 we can run with only CRYPTO_THREADID versions of the calls

4 SSL Session Plugin API Proposal  LinkedIn and Yahoo developed Session sharing support in parallel ●Performance problems observed with the default session table in openssl ●LinkedIn committed their solution back to open source ●No cross box communication ●Yahoo solution includes cross ATS communication for session sharing  Propose a plugin API to break out optional communication, analysis, etc. ●http://network-geographics.com/ats/docs/ssl-session-api.en.htmlhttp://network-geographics.com/ats/docs/ssl-session-api.en.html

5 SSL Session Plugin API  Add hook TS_SSL_SESSION_HOOK  Triggers callback: ● int SSL_session_callback(TSCont contp, TSEvent event, void *edata)TSContTSEvent ●Where edata is a TSSslSessionId ●Event is one of ●TS_EVENT_SESSION_NEW – A new session has been added to the session table ●TS_EVENT_SESSION_REMOVE - A session has been removed from the session table ●TS_EVENT_SESSION_GET – A session has been requested. Could override decision

6 SSL Session Plugin API  New functions ●TSSslSession TSSslSessionGet(TSSsslSessionId sessionid)TSSslSession ●TSReturnCode TSSslSessionCurrentSet(TSSslSessionId sessionId, TSSslSession preferredSession)TSReturnCodeTSSslSessionId TSSslSession ●TSReturnCode TSSslSessionSet(TSSslSessionId sessionId, TSSslSession addSession)TSReturnCodeTSSslSessionId TSSslSession ●TSReturnCode TSSslSessionRemove(TSSslSessionId sessionId)TSReturnCodeTSSslSessionId

7 SSL Session Plugin Use Case  Goal: Share sessions between ATS boxes sitting behind a load balancer  Set up communication with peer ATS boxes ●Use your favorite messaging library ●Peers communicate ●New sessions and removed sessions ●Use TSSslSessionSet and TSSslSessionRemove to get local copy of session table up to date  Set handler on the TS_SSL_SESSION_HOOK ●On remove, notify peers ●On new, notify peers

8 Question about session ticket key use case  In 5.x, you specify ticket key files per ssl_multicert.config entry ●ssl_cert_name=safelyfiled.pem ssl_key_name=privkey.pem ssl_ticket_enabled=1 ticket_key_name=ticket.dat  Is there a major use case to specify different ssl session tickets for different origin servers? ●Seems confusing ●Can be difficult to just turn off session tickets TS-3371

9 DHE Issues  DHE support added in 5.2.0 ●In addition to adding DHE algorithms in the cipher list, must set DH group parameters via SSL_set_tmp_dh ●Added a dhparams to records.config ●If no dhparams is present, the patch would automatically use a 2048 bit DH group defined in RFC 5114 ●No way to turn off DHE unless you remove the DHE algorithms from the cipher list ●Listed DHE algorithms were useless pre-5.2.0 ●LinkedIn noticed an increase in SSL errors that went away in part when the 5.2.0 DH change was removed

10 DHE Future Changes  Changes beyond 5.2.1? ●No, leave it be ●Add a “Default” option to dhparams config entry ●Other?

11 Addition of Symmetric SSL statistics  TS-3409 ●Change proxy.process.ssl.total_success_handshake_count to total_success_handshake_count_in ●Added total_success_handshake_count_out

12 SSL Transparent Pass Through  Augment the Transparent Pass through logic to work on SSL as well as HTTP directly over TCP ●TS-3292 – Lev Stipakov ●If tr-pass and first packet is not client hello, blind tunnel

13 Various bug fixes  SSL handshake buffer fix TS-3451 ●Brian Geffon tracking down increase in SSL errors moving from 5.0 to 5.2.0  SNI Callback fix TS-3272 ●Lev found CPU spin if SNI callback did not reenable  Certificate Loading Fixes ●Remove spurious warnings on certificate load TS-3243 ●Fail system start if certificates do not load TS-3376

14 Questions?

Download ppt "ATS SSL Updates ATS Summit Spring 2015 Susan Hinrichs."

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Web security: SSL and TLS

Web security: SSL and TLS
Copyright ©2001-2004 SkyeyTech, Inc. BUGtrack Email Interface.

Copyright © SkyeyTech, Inc. BUGtrack Interface.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IMPORTING MEDIA FILES in Tycoon 3.04 NAVORI SAPrecision Tools for Digital Signage Professionals1-800-720-2751 Rev. 1.0 March 2008.

IMPORTING MEDIA FILES in Tycoon 3.04 NAVORI SAPrecision Tools for Digital Signage Professionals Rev. 1.0 March 2008.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
VoIP on a Wireless LAN Orly Goren Tomer Shiran Lior Nir.

VoIP on a Wireless LAN Orly Goren Tomer Shiran Lior Nir.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.

Similar presentations

Ads by Google