Add support for TLS ticket encryption based on internal seeds

Summary: Synchronise encryption keys between multiple hosts.

Reviewed By: kulshrax, mingtaoy

Differential Revision: D13296482

fbshipit-source-id: 5fdb1d818b9b9c90be0f3f69d3cc01ac05cbac77

apiserver/src/main.rs

@@ -363,6 +363,12 @@ fn main() -> Result<()> {
                     .value_name("PATH")
                     .help("path to the ssl ca file"),
             )
+            .arg(
+                Arg::with_name("ssl-ticket-seeds")
+                    .long("ssl-ticket-seeds")
+                    .value_name("PATH")
+                    .help("path to the ssl ticket seeds"),
+            )
             .arg(
                 Arg::with_name("myrouter-port")
                     .long("myrouter-port")
@@ -423,6 +429,10 @@ fn main() -> Result<()> {
             .value_of("ssl-ca")
             .expect("must specify CA")
             .to_string();
+        let ticket_seed = matches
+            .value_of("ssl-ticket-seeds")
+            .unwrap_or(secure_utils::fb_tls::SEED_PATH)
+            .to_string();
 
         let ssl = secure_utils::SslConfig {
             cert,
@@ -430,7 +440,12 @@ fn main() -> Result<()> {
             ca_pem,
         };
         let acceptor = secure_utils::build_tls_acceptor_builder(ssl.clone())?;
-        Some(secure_utils::fb_tls_acceptor_builder(ssl.clone(), acceptor)?)
+        Some(secure_utils::fb_tls::tls_acceptor_builder(
+            root_logger.clone(),
+            ssl.clone(),
+            acceptor,
+            ticket_seed,
+        )?)
     } else {
         None
     };

tests/integration/library.sh

@@ -205,8 +205,10 @@ function apiserver {
     --ssl-ca "$TESTDIR/testcert.crt" \
     --ssl-private-key "$TESTDIR/testcert.key" \
     --ssl-certificate "$TESTDIR/testcert.crt" \
+    --ssl-ticket-seeds "$TESTDIR/server.pem.seeds" \
     --do-not-init-cachelib >> "$TESTTMP/apiserver.out" 2>&1 &
-  echo $! >> "$DAEMON_PIDS"
+  export APISERVER_PID=$!
+  echo "$APISERVER_PID" >> "$DAEMON_PIDS"
 }
 
 function no_ssl_apiserver {

tests/integration/server.pem.seeds

@@ -0,0 +1 @@
+{"old": ["0cdb7746c57e4069f84192f5b73905e040e46439b6afe886ba048fc40700416bb1986ab97729d35cf8b9a3dee0d717a6"], "new": ["cfb5cca1d5715dae1ddecb97e1302dc816238f23c7cb89b6e514961b0bc9e9297c04dac377004000dc31450da1af0f8f"], "current": ["7fe165ba823b01abb8c1b4768a1846070ce9b0dbd3efa52bde4a20d45a89c6d1c8b21fda6d2b33f8ea005f616abf028a"]}

tests/integration/test-apiserver.t

@@ -289,6 +289,25 @@ test TLS Session/Ticket resumption when using client certs
   $ if [ "$RUN1" == "$RUN2" ]; then echo "SUCCESS"; fi
   SUCCESS
 
+test TLS Tickets use encryption keys from seeds - sessions should persist across restarts
+  $ kill -9 $APISERVER_PID && wait $APISERVER_PID
+  $TESTTMP.sh: * Killed * (glob)
+  [137]
+  $ truncate -s 0 "$TESTTMP/apiserver.out"
+  $ apiserver -H "[::1]" -p $APISERVER_PORT
+  $ wait_for_apiserver
+  $ echo -e "GET /health_check HTTP/1.1\r\n" | s_client -sess_in $TMPFILE -state | grep -E "^SSL_connect"
+  SSL_connect:before/connect initialization
+  SSL_connect:SSLv3 write client hello A
+  SSL_connect:SSLv3 read server hello A
+  SSL_connect:SSLv3 read finished A
+  SSL_connect:SSLv3 write change cipher spec A
+  SSL_connect:SSLv3 write finished A
+  SSL_connect:SSLv3 flush data
+  SSL3 alert read:warning:close notify
+  SSL3 alert write:warning:close notify
+  [1]
+
 test download LFS (GET request)
   $ sslcurl $APISERVER/repo/lfs/download/$SHA > output
   $ diff output - <<< $TEST_CONTENT