You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/// Adds a key which will be used to encrypt and decrypt session tickets. The intro_time parameter is time since
/// the Unix epoch (Midnight, January 1st, 1970). The key must be at least 16 bytes.
pubfnadd_session_ticket_key(
&mutself,
key_name:&[u8],
key:&[u8],
intro_time:SystemTime,
) -> Result<&mutSelf,Error>{
However, this method is implemented on config::Builder so it is not available after the config is created.
Solution:
Workarounds
The one workaround that I can think of for this is using the ClientHello callback to always resolve to a "most recent" config. You would create a new config every hour with the rotation of the STEKs. This is not a pretty solution 😬
Code Changes
Ideally the add_session_ticket_key would be available on the config::Config.
should it take a &self or &mut self?
does it need to do any internal synchronization?
Clients currently have to implement rotation themselves, and I wonder if it might make sense to switch to something like rustls' ticketer api?
Requirements / Acceptance Criteria:
Customers should be able to rotate STEKs when using the bindings. I think as part of the acceptance criteria, we should add an example server with STEKs that rotate every hour.
The text was updated successfully, but these errors were encountered:
Problem:
There is no obvious way to rotate STEK material when using s2n-tls through the rust bindings.
s2n_config_add_ticket_crypto_key
is exposed in the Rust bindingss2n-tls/bindings/rust/s2n-tls/src/config.rs
Lines 672 to 679 in 933f379
However, this method is implemented on
config::Builder
so it is not available after the config is created.Solution:
Workarounds
The one workaround that I can think of for this is using the ClientHello callback to always resolve to a "most recent" config. You would create a new config every hour with the rotation of the STEKs. This is not a pretty solution 😬
Code Changes
Ideally the
add_session_ticket_key
would be available on theconfig::Config
.&self
or&mut self
?Clients currently have to implement rotation themselves, and I wonder if it might make sense to switch to something like rustls' ticketer api?
Requirements / Acceptance Criteria:
Customers should be able to rotate STEKs when using the bindings. I think as part of the acceptance criteria, we should add an example server with STEKs that rotate every hour.
The text was updated successfully, but these errors were encountered: