Skip to content

Allow origins to do TLS renegotiation #10385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bryancall merged 4 commits into from
Sep 13, 2023
Merged

Allow origins to do TLS renegotiation #10385

bryancall merged 4 commits into from
Sep 13, 2023

Conversation

@bryancall
Copy link
Contributor

@bryancall bryancall commented Sep 7, 2023
edited
Loading

Ran into an issue where IIS will do a TLS renegotiation after the first request is made. Since the handshake has already been completed it is failing this check.

CI has a test for TS_SSL_VERIFY_SERVER_HOOK and I will see if this change breaks that functionality.

Discussion about IIS: https://security.stackexchange.com/questions/24554/should-i-use-ssl-tls-renegotiation

@bryancall bryancall added the TLS label Sep 7, 2023
@bryancall bryancall added this to the 10.0.0 milestone Sep 7, 2023
@bryancall bryancall self-assigned this Sep 7, 2023
@bryancall
Copy link
Contributor Author

bryancall commented Sep 8, 2023

This commit has the logic change: ede1f34 the rest of the PR is just cleanup.

@bryancall bryancall requested a review from shinrich September 8, 2023 15:37
@shinrich
Copy link
Member

shinrich commented Sep 8, 2023

Logic seems reasonable. Do we want to make this configurable? I dimly recall that renegotiation is frowned up these days. If it is configurable, I assume that is something we can set during the TLS negotiation to indicate whether the client will handle renegotiations.

Oh I see the 10 year old article you reference does discuss some of the renegotiation concerns.

shinrich
shinrich approved these changes Sep 11, 2023
View reviewed changes
Copy link
Member

@shinrich shinrich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Server initiated renegotiation is less concerning.

@bryancall bryancall merged commit 236b749 into apache:master Sep 13, 2023
cmcfarlen pushed a commit to cmcfarlen/trafficserver that referenced this pull request Jun 3, 2024
@bryancall @zwoop
Allow origins to do TLS renegotiation (apache#10385)
3c3f628
cmcfarlen pushed a commit to cmcfarlen/trafficserver that referenced this pull request Jun 3, 2024
@zwoop
Merge commit '236b749b2b3cc746829ad534a7034ab7799d1b71'
8cb4c62 
* commit '236b749b2b3cc746829ad534a7034ab7799d1b71':
  Allow origins to do TLS renegotiation (apache#10385)
  Remove deprecated debug output functions from 21 source files. (apache#9683)
  Fixes some make test build problems (apache#10402)
  Removes unused Errata functions from WCCP (apache#10380)
  Move InkAPI.cc into src/api (apache#10315)
  cmake: Generate files in rc, install the trafficserver script (apache#10367)
  Add support for OCSP requests by GET method (apache#10306)
  Preserve unmapped url regardless of need for remapping (apache#10304)
  Add TSVConnFdGet api (apache#10324)
  include/ts: comma on all last enum elements (apache#10400)
  cmake: Add remaining plugins without external deps (apache#10395)
  CID-1508974 (apache#10397)
  CID-1508987 (apache#10398)
  Coverity 1518564: fix off by one (apache#10401)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shinrich shinrich shinrich approved these changes

Assignees

@bryancall bryancall

Labels

TLS

Projects

None yet

Milestone

10.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@bryancall @shinrich