crypto/tls: rotate session ticket keys

Automatically rotate session ticket keys for servers that don't already have sessionTicketKeys and that haven't called SetSessionTicketKeys. Now, session ticket keys will be rotated every 24 hours with a lifetime of 7 days. This adds a small performance cost to existing clients that don't provide a session ticket encrypted with a fresh enough session ticket key, which would require a full handshake. Updates #25256 Change-Id: I15b46af7a82aab9a108bceb706bbf66243a1510f Reviewed-on: https://go-review.googlesource.com/c/go/+/230679 Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2025-04-04 04:27:36 +03:00 · 2020-04-28 17:47:27 -04:00 · 2020-04-28 17:47:27 -04:00 · 47355c49eb
commit 47355c49eb
parent 451074ba19
6 changed files with 180 additions and 99 deletions
--- a/handshake_server_test.go
+++ b/handshake_server_test.go
@ -1496,12 +1496,8 @@ var getConfigForClientTests = []struct {
 		},
 		"",
 		func(config *Config) error {
-			// The value of SessionTicketKey should have been
-			// duplicated into the per-connection Config.
-			for i := range config.SessionTicketKey {
-				if b := config.SessionTicketKey[i]; b != byte(i) {
-					return fmt.Errorf("SessionTicketKey was not duplicated from original Config: byte %d has value %d", i, b)
-				}
+			if config.SessionTicketKey == [32]byte{} {
+				return fmt.Errorf("expected SessionTicketKey to be set")
 			}
 			return nil
 		},
@ -1522,10 +1518,8 @@ var getConfigForClientTests = []struct {
 		},
 		"",
 		func(config *Config) error {
-			// The session ticket keys should have been duplicated
-			// into the per-connection Config.
-			if l := len(config.sessionTicketKeys); l != 1 {
-				return fmt.Errorf("got len(sessionTicketKeys) == %d, wanted 1", l)
+			if config.SessionTicketKey == [32]byte{} {
+				return fmt.Errorf("expected SessionTicketKey to be set")
 			}
 			return nil
 		},