[gnutls-devel] session ticket key rotation

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Nov 13 21:25:21 CET 2016

Hi GnuTLS folks--

I'm trying to add session tickets to a GnuTLS-enabled daemon.

I'm using gnutls_session_ticket_enable_server(), but it looks like there
is no way to smoothly rotate session ticket keys.  That is, as soon as i
call gnutls_session_ticket_enable_server(), all previously-issued
session tickets become invalidated.

What i'd prefer is for my server to have a pool of N session tickets
keys, and for me to expire (and replace) one of them (in sequence) every
K seconds.

The tickets issued by this setup would have some reserved space that
indicated which of the slots is in use (e.g. the top 3 bits, if N = 8).

When encrypting, we'd always select the most recently-regeneratted slot,
and we'd set those bits to correspond to the slot in use.

When decrypting, we'd select the key to decrypt with based on the
corresponding bits.

With this scheme, tickets issued by each key would be good for at least
(N-1)*K seconds (in the case where a ticket is issued from the key just
before the next key is generated), and there would never be a hard
cutover that invalidates all existing session tickets.

Is there a way to do this in GnuTLS as it currently stands?  If not,
would you be interested in such a feature?

I'm imagining that an opaque server-side API for this would look
something like:

    struct gnutls_ticket_key_pool_int;
    typedef struct gnutls_ticket_key_pool_int *gnutls_ticket_key_pool_t;

    int gnutls_ticket_key_pool_init(gnutls_ticket_key_pool_t *pool, int numkeys);
    int gnutls_ticket_key_pool_free(gnutls_ticket_key_pool_t pool);
    int gnutls_ticket_key_pool_rotate(gnutls_ticket_key_pool_t pool);

    /* new value for gnutls_credentials_type_t */

Users would associate the ticket key pool with a session using
gnutls_credentials_get and gnutls_credentials_set, making the workflow
and memory ownership model aligned with existing use.

The caller would be responsible for invoking
gnutls_ticket_key_pool_rotate() at their selected intervals.

The opacity of the object might cause trouble if you wanted to share the
pool session ticket keys across a pool of front-end servers, or if you
wanted session tickets to survive a server reboot.  You could handle
that situation by adding a pair of serialization/deserialization
functions for the ticket key pool.

Any thoughts?  Is there already a good way to do something like this in
the existing API and i'm just missing it?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: </pipermail/attachments/20161114/bb17ff4d/attachment.sig>

More information about the Gnutls-devel mailing list