Bug#762619: apache2: Don't let TLS session tickets botch PFS

Stefan Fritsch Tue, 23 Sep 2014 13:46:32 -0700

On Tuesday 23 September 2014 20:30:04, Rodrigo Campos wrote:
> I tried to do some tests to see if maybe a reload was enough
> (doesn't cause downtime :)) to re-generate the randomly generated
> session ticket key at startup.  But let me be very clear about
> this: I'm not a security expert (far from that) nor I have any deep
> knowledge of TLS, session resumption, etc. I just did some tests
> that I'm not 100% sure what they mean.


Yes, a graceful reload is enough to generate a new session ticket key. 
See 
http://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52248C40.7070206%40opensslfoundation.com%3E

This means that in the default configuration in wheezy, the session 
ticket key is kept for one week. That is not optimal, but IMHO it is 
not a severe problem either.

In 2.4.10-2, the log rotation has been changed from weekly to daily 
which gives some improvement.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#762619: apache2: Don't let TLS session tickets botch PFS

Reply via email to