From 26bbd720932ac81865766aa405217a3fe598bb2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ale=C5=A1=20Mr=C3=A1zek?= Date: Thu, 18 Jul 2024 06:24:35 +0200 Subject: [PATCH] manager: secret for TLS session resumption via ticket Create and set a secret for TLS session resumption via ticket that is the same for all running 'kresd' workers. This secret is only created if the user has not configured the secret themselves. --- NEWS | 10 ++++++++++ manager/knot_resolver_manager/kres_manager.py | 20 +++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/NEWS b/NEWS index 1c115b1fa..d84537d35 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,13 @@ +Knot Resolver 6.0.9 (2024-mm-dd) +================================ + +Improvements +------------ + +- manager: secret for TLS session resumption via ticket (RFC5077) (!1567) + + The manager creates and sets the secret for all running 'kresd' workers. The secret is created automatically if the user does not configure his own secret in the configuration. This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so. + Knot Resolver 6.0.8 (2024-07-23) ================================ diff --git a/manager/knot_resolver_manager/kres_manager.py b/manager/knot_resolver_manager/kres_manager.py index 1090ad5db..f916dfaaa 100644 --- a/manager/knot_resolver_manager/kres_manager.py +++ b/manager/knot_resolver_manager/kres_manager.py @@ -2,6 +2,7 @@ import logging import sys import time +from secrets import token_hex from subprocess import SubprocessError from typing import Any, Callable, List, Optional @@ -148,6 +149,11 @@ def config_nodes(config: KresConfig) -> List[Any]: # register callback to reset policy rules for each 'kresd' worker await config_store.register_on_change_callback(self.reset_workers_policy_rules) + # register and immediately call a callback to set new TLS session ticket secret for 'kresd' workers + await config_store.register_on_change_callback( + only_on_real_changes_update(config_nodes)(self.set_new_tls_sticket_secret) + ) + # register controller config change listeners await config_store.register_verifier(_deny_max_worker_changes) @@ -254,6 +260,20 @@ async def reset_workers_policy_rules(self, _config: KresConfig) -> None: " the workers are already running with new configuration" ) + async def set_new_tls_sticket_secret(self, config: KresConfig) -> None: + + if config.network.tls.sticket_secret or config.network.tls.sticket_secret_file: + logger.debug("User-configured TLS resumption secret found - skipping auto-generation.") + return + + logger.debug("Creating TLS session ticket secret") + secret = token_hex(32) + logger.debug("Setting TLS session ticket secret for all running 'kresd' workers") + cmd_results = await command_registered_workers(f"net.tls_sticket_secret('{secret}')") + for worker, res in cmd_results.items(): + if res not in (0, True): + logger.error("Failed to set TLS session ticket secret in %s: %s", worker, res) + async def apply_config(self, config: KresConfig, _noretry: bool = False) -> None: try: async with self._manager_lock: