On 31 Mar 2015, at 13:19, Sam Hartman <hartmans@mit.edu> wrote:
* * Signs the administrator configured key, using the private key associated with the * SSL context, then hashes the signature to get a key of an appropriate length, * which is fed to the hmac and encryption contexts for the session ticket.
wait. What? I'm not parsing what you're trying to do there, and it's triggering my security spidy sense.
Requirements: - A cluster of servers need to derive the same session ticket key without communicating with each other. - The key should be derived from something the administrator configures, and the private key set for the SSL context. So if administrators choose simple keys, they don't open themselves up to session ticket spoofing. - The derived key must be a fixed length.
Why do you ever want to hash a signature to get an encryption key?
To get a fixed length key. Different certificate types will generate signatures of differing sizes. If there's a better way to generate a key of a fixed length, using an administrator provided key string, and a private key then i'd definitely be open to it. Using the private key to sign the administrator configured key was a trick from the original NGINX implementation of RFC 5077 session resumption. There they just took the first 48 bytes of the signature. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2