ATS SSL Updates ATS Summit Spring 2015 Susan Hinrichs.

Slides:

Advertisements

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

Advertisements

Web security: SSL and TLS

Copyright © SkyeyTech, Inc. BUGtrack Interface.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Secure Socket Layer.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

IMPORTING MEDIA FILES in Tycoon 3.04 NAVORI SAPrecision Tools for Digital Signage Professionals Rev. 1.0 March 2008.

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

VoIP on a Wireless LAN Orly Goren Tomer Shiran Lior Nir.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Chapter 8 Web Security.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

CLUSTER WEBLOGIC SERVER. 1.Creating clusters and understanding its concept GETTING STARTED.

Chapter 17 TACACS+.

QAD .Net UI: New Enhancements

APPX 4.3 Overview. APPX 4.3  System Administration Application Change Management (SCCS) Application Change Management (SCCS) Runtime Process Monitor.

Enabling Advanced Net8 Features. Configuring Advanced Network Address and Connect Data Information.

RUG Australia meeting 2012 Feb 6, V Tiers & sequencing suppliers Tiers and sequencing and load balancing  Tiers = groups of suppliers.

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

Created by: Maria Abrahms Modified Date: Classification: How to get it done Contributing to OpenStack.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.

LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,

EPICS devSNMP Extensions Euan Troup, CSIRO Australia Telescope National Facility ASKAP Project Paul Wild Observatory.

FTP Client Application CSC 8560 Brian Jorgage 4/27/2004.

What’s New in Fireware v11.9.5

Network Security Essentials Chapter 5

Web Security : Secure Socket Layer Secure Electronic Transaction.

Cryptography and Network Security (SSL)

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.

Hariharan Venkataraman

1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.

Tunneling and Securing TCP Services Nathan Green.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Recent Software Issues L3 Review of SM Software, 28 Oct Recent Software Issues Occasional runs had large numbers of single-event files. INIT message.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

RTSP to Draft Standard draft-ietf-mmusic-rfc2236bis-02.txt Authors: Henning Schulzrinne, Anup Rao, Robert Lanphier, Magnus Westerlund.

User Authentication Modules Leland Wallace Sr. Engineer AppleShare Leland Wallace Sr. Engineer AppleShare.

VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb

CMap Version 0.16 Ben Faga. CMap CMap Version 0.16 Bug fixes and code optimizations More intuitive menu system Asynchronous loading of comparative map.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Project 5: Using Pop-Up Windows Essentials for Design JavaScript Level One Michael Brooks.

© Copyright 2014 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Administrator Training – Release Alarms Administration.

John Rushford Apache Traffic Server Multi-Site Origin and Secondary Consistent Hash Feature John Rushford

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

Monitoring Dynamic IOC Installations Using the alive Record Dohn Arms Beamline Controls & Data Acquisition Group Advanced Photon Source.

Git workflows: using multiple branches for parallel development SE-2800 Dr. Mark L. Hornick 1.

Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.

ArcGIS for Server Security: Advanced

UNIT.4 IP Security.

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

(Includes setup) FAQ ON DOCUMENTS (Includes setup)

CANalytics TM CAN Interface Software BY.

Bryan Call ATS Spring Summit 2017

Presentation transcript:

ATS SSL Updates ATS Summit Spring 2015 Susan Hinrichs

Leverage New Features of OpenSSL  Support multiple certificate chains TS-3131 ●Wei Sun addition ●You can specify multiple certificate files in ssl_multicert.config by comma separating file names in the ssl_cert_name and ssl_key_name fields ● ssl_cert_name=ec-safelyfiled.pem,rsa-safelyfiled.pem ssl_key_name=ec- privkey.pem,rsa-privkey.pem ●May want to add some cross algorithm warning checks  Use the certificate callback for the TS API SNI callback TS-3319 ●No need for the SNI callback patch to ●The SNI plugin API is unchanged

OpenSSL 1.1  Can no longer reach into the internals ●OpenSSL team added SSL_set_rbio for us  CRYPTO_set_id_callback is removed ●Deprecated since 1.0 ●Replaced with CRYPTO_THREADID_set_callback. Slightly different way of setting the thread id. ●If we change our lowest supported version of openssl to we can run with only CRYPTO_THREADID versions of the calls

SSL Session Plugin API Proposal  LinkedIn and Yahoo developed Session sharing support in parallel ●Performance problems observed with the default session table in openssl ●LinkedIn committed their solution back to open source ●No cross box communication ●Yahoo solution includes cross ATS communication for session sharing  Propose a plugin API to break out optional communication, analysis, etc. ●

SSL Session Plugin API  Add hook TS_SSL_SESSION_HOOK  Triggers callback: ● int SSL_session_callback(TSCont contp, TSEvent event, void *edata)TSContTSEvent ●Where edata is a TSSslSessionId ●Event is one of ●TS_EVENT_SESSION_NEW – A new session has been added to the session table ●TS_EVENT_SESSION_REMOVE - A session has been removed from the session table ●TS_EVENT_SESSION_GET – A session has been requested. Could override decision

SSL Session Plugin API  New functions ●TSSslSession TSSslSessionGet(TSSsslSessionId sessionid)TSSslSession ●TSReturnCode TSSslSessionCurrentSet(TSSslSessionId sessionId, TSSslSession preferredSession)TSReturnCodeTSSslSessionId TSSslSession ●TSReturnCode TSSslSessionSet(TSSslSessionId sessionId, TSSslSession addSession)TSReturnCodeTSSslSessionId TSSslSession ●TSReturnCode TSSslSessionRemove(TSSslSessionId sessionId)TSReturnCodeTSSslSessionId

SSL Session Plugin Use Case  Goal: Share sessions between ATS boxes sitting behind a load balancer  Set up communication with peer ATS boxes ●Use your favorite messaging library ●Peers communicate ●New sessions and removed sessions ●Use TSSslSessionSet and TSSslSessionRemove to get local copy of session table up to date  Set handler on the TS_SSL_SESSION_HOOK ●On remove, notify peers ●On new, notify peers

Question about session ticket key use case  In 5.x, you specify ticket key files per ssl_multicert.config entry ●ssl_cert_name=safelyfiled.pem ssl_key_name=privkey.pem ssl_ticket_enabled=1 ticket_key_name=ticket.dat  Is there a major use case to specify different ssl session tickets for different origin servers? ●Seems confusing ●Can be difficult to just turn off session tickets TS-3371

DHE Issues  DHE support added in ●In addition to adding DHE algorithms in the cipher list, must set DH group parameters via SSL_set_tmp_dh ●Added a dhparams to records.config ●If no dhparams is present, the patch would automatically use a 2048 bit DH group defined in RFC 5114 ●No way to turn off DHE unless you remove the DHE algorithms from the cipher list ●Listed DHE algorithms were useless pre ●LinkedIn noticed an increase in SSL errors that went away in part when the DH change was removed

DHE Future Changes  Changes beyond 5.2.1? ●No, leave it be ●Add a “Default” option to dhparams config entry ●Other?

Addition of Symmetric SSL statistics  TS-3409 ●Change proxy.process.ssl.total_success_handshake_count to total_success_handshake_count_in ●Added total_success_handshake_count_out

SSL Transparent Pass Through  Augment the Transparent Pass through logic to work on SSL as well as HTTP directly over TCP ●TS-3292 – Lev Stipakov ●If tr-pass and first packet is not client hello, blind tunnel

Various bug fixes  SSL handshake buffer fix TS-3451 ●Brian Geffon tracking down increase in SSL errors moving from 5.0 to  SNI Callback fix TS-3272 ●Lev found CPU spin if SNI callback did not reenable  Certificate Loading Fixes ●Remove spurious warnings on certificate load TS-3243 ●Fail system start if certificates do not load TS-3376

Questions?