From: Aleš Mrázek Date: Thu, 18 Jul 2024 04:24:35 +0000 (+0200) Subject: manager: secret for TLS session resumption via ticket X-Git-Tag: v6.0.9~43^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-develop-mana-68w5hu%2Fdeployments%2F4723;p=thirdparty%2Fknot-resolver.git manager: secret for TLS session resumption via ticket Create and set a secret for TLS session resumption via ticket that is the same for all running 'kresd' workers. This secret is only created if the user has not configured the secret themselves. --- diff --git a/NEWS b/NEWS index 1c115b1fa..d84537d35 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,13 @@ +Knot Resolver 6.0.9 (2024-mm-dd) +================================ + +Improvements +------------ + +- manager: secret for TLS session resumption via ticket (RFC5077) (!1567) + + The manager creates and sets the secret for all running 'kresd' workers. The secret is created automatically if the user does not configure his own secret in the configuration. This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so. + Knot Resolver 6.0.8 (2024-07-23) ================================ diff --git a/manager/knot_resolver_manager/kres_manager.py b/manager/knot_resolver_manager/kres_manager.py index 1090ad5db..f916dfaaa 100644 --- a/manager/knot_resolver_manager/kres_manager.py +++ b/manager/knot_resolver_manager/kres_manager.py @@ -2,6 +2,7 @@ import asyncio import logging import sys import time +from secrets import token_hex from subprocess import SubprocessError from typing import Any, Callable, List, Optional @@ -148,6 +149,11 @@ class KresManager: # pylint: disable=too-many-instance-attributes # register callback to reset policy rules for each 'kresd' worker await config_store.register_on_change_callback(self.reset_workers_policy_rules) + # register and immediately call a callback to set new TLS session ticket secret for 'kresd' workers + await config_store.register_on_change_callback( + only_on_real_changes_update(config_nodes)(self.set_new_tls_sticket_secret) + ) + # register controller config change listeners await config_store.register_verifier(_deny_max_worker_changes) @@ -254,6 +260,20 @@ class KresManager: # pylint: disable=too-many-instance-attributes " the workers are already running with new configuration" ) + async def set_new_tls_sticket_secret(self, config: KresConfig) -> None: + + if config.network.tls.sticket_secret or config.network.tls.sticket_secret_file: + logger.debug("User-configured TLS resumption secret found - skipping auto-generation.") + return + + logger.debug("Creating TLS session ticket secret") + secret = token_hex(32) + logger.debug("Setting TLS session ticket secret for all running 'kresd' workers") + cmd_results = await command_registered_workers(f"net.tls_sticket_secret('{secret}')") + for worker, res in cmd_results.items(): + if res not in (0, True): + logger.error("Failed to set TLS session ticket secret in %s: %s", worker, res) + async def apply_config(self, config: KresConfig, _noretry: bool = False) -> None: try: async with self._manager_lock: