manager: secret for TLS session resumption via ticket

Create and set a secret for TLS session resumption via ticket that is the same for all running 'kresd' workers. This secret is only created if the user has not configured the secret themselves.

diff --git a/NEWS b/NEWS
index 1c115b1faf224df47e5421bca89bc55a0688d7ef..d84537d35091557776671ec46b341329f55c4b68 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,13 @@
+Knot Resolver 6.0.9 (2024-mm-dd)
+================================
+
+Improvements
+------------
+
+- manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
+
+  The manager creates and sets the secret for all running 'kresd' workers. The secret is created automatically if the user does not configure his own secret in the configuration. This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so.
+
 Knot Resolver 6.0.8 (2024-07-23)
 ================================
 

diff --git a/manager/knot_resolver_manager/kres_manager.py b/manager/knot_resolver_manager/kres_manager.py
index 1090ad5dbc197d317d513998e356ebbeaf7b1983..f916dfaaaaac248f264ddf57a87a3976a308e72f 100644 (file)
--- a/manager/knot_resolver_manager/kres_manager.py
+++ b/manager/knot_resolver_manager/kres_manager.py
@@ -2,6 +2,7 @@ import asyncio
 import logging
 import sys
 import time
+from secrets import token_hex
 from subprocess import SubprocessError
 from typing import Any, Callable, List, Optional
 
@@ -148,6 +149,11 @@ class KresManager:  # pylint: disable=too-many-instance-attributes
         # register callback to reset policy rules for each 'kresd' worker
         await config_store.register_on_change_callback(self.reset_workers_policy_rules)
 
+        # register and immediately call a callback to set new TLS session ticket secret for 'kresd' workers
+        await config_store.register_on_change_callback(
+            only_on_real_changes_update(config_nodes)(self.set_new_tls_sticket_secret)
+        )
+
         # register controller config change listeners
         await config_store.register_verifier(_deny_max_worker_changes)
 
@@ -254,6 +260,20 @@ class KresManager:  # pylint: disable=too-many-instance-attributes
                 " the workers are already running with new configuration"
             )
 
+    async def set_new_tls_sticket_secret(self, config: KresConfig) -> None:
+
+        if config.network.tls.sticket_secret or config.network.tls.sticket_secret_file:
+            logger.debug("User-configured TLS resumption secret found - skipping auto-generation.")
+            return
+
+        logger.debug("Creating TLS session ticket secret")
+        secret = token_hex(32)
+        logger.debug("Setting TLS session ticket secret for all running 'kresd' workers")
+        cmd_results = await command_registered_workers(f"net.tls_sticket_secret('{secret}')")
+        for worker, res in cmd_results.items():
+            if res not in (0, True):
+                logger.error("Failed to set TLS session ticket secret in %s: %s", worker, res)
+
     async def apply_config(self, config: KresConfig, _noretry: bool = False) -> None:
         try:
             async with self._manager_lock: