manager: secret for TLS session resumption via ticket

Create and set a secret for TLS session resumption via ticket that is the same for all running 'kresd' workers. This secret is only created if the user has not configured the secret themselves.
webfutureiorepo · Jul 29, 2024 · 26bbd72 · 26bbd72
1 parent ffb4bf7
commit 26bbd72
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -1,3 +1,13 @@
+Knot Resolver 6.0.9 (2024-mm-dd)
+================================
+
+Improvements
+------------
+
+- manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
+
+  The manager creates and sets the secret for all running 'kresd' workers. The secret is created automatically if the user does not configure his own secret in the configuration. This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so.
+
 Knot Resolver 6.0.8 (2024-07-23)
 ================================
 

diff --git a/manager/knot_resolver_manager/kres_manager.py b/manager/knot_resolver_manager/kres_manager.py
@@ -2,6 +2,7 @@
 import logging
 import sys
 import time
+from secrets import token_hex
 from subprocess import SubprocessError
 from typing import Any, Callable, List, Optional
 
@@ -148,6 +149,11 @@ def config_nodes(config: KresConfig) -> List[Any]:
         # register callback to reset policy rules for each 'kresd' worker
         await config_store.register_on_change_callback(self.reset_workers_policy_rules)
 
+        # register and immediately call a callback to set new TLS session ticket secret for 'kresd' workers
+        await config_store.register_on_change_callback(
+            only_on_real_changes_update(config_nodes)(self.set_new_tls_sticket_secret)
+        )
+
         # register controller config change listeners
         await config_store.register_verifier(_deny_max_worker_changes)
 
@@ -254,6 +260,20 @@ async def reset_workers_policy_rules(self, _config: KresConfig) -> None:
                 " the workers are already running with new configuration"
             )
 
+    async def set_new_tls_sticket_secret(self, config: KresConfig) -> None:
+
+        if config.network.tls.sticket_secret or config.network.tls.sticket_secret_file:
+            logger.debug("User-configured TLS resumption secret found - skipping auto-generation.")
+            return
+
+        logger.debug("Creating TLS session ticket secret")
+        secret = token_hex(32)
+        logger.debug("Setting TLS session ticket secret for all running 'kresd' workers")
+        cmd_results = await command_registered_workers(f"net.tls_sticket_secret('{secret}')")
+        for worker, res in cmd_results.items():
+            if res not in (0, True):
+                logger.error("Failed to set TLS session ticket secret in %s: %s", worker, res)
+
     async def apply_config(self, config: KresConfig, _noretry: bool = False) -> None:
         try:
             async with self._manager_lock: