On Tue, Sep 23, 2014 at 10:41:49PM +0200, Stefan Fritsch wrote: > On Tuesday 23 September 2014 20:30:04, Rodrigo Campos wrote: > > I tried to do some tests to see if maybe a reload was enough > > (doesn't cause downtime :)) to re-generate the randomly generated > > session ticket key at startup. But let me be very clear about > > this: I'm not a security expert (far from that) nor I have any deep > > knowledge of TLS, session resumption, etc. I just did some tests > > that I'm not 100% sure what they mean. > > Yes, a graceful reload is enough to generate a new session ticket key. > See > http://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52248C40.7070206%40opensslfoundation.com%3E
Ohh, I didn't find that. Thanks! But well, that email says with that setup it did. As it did with mine. And reading the thread I didn't see nobody saying that in all mpms and configurations it will. They do say, though, that "if a graceful restart frees up and reallocates the SSL_CTX structure" it will (here[1]), but I didn't checked the code to see if this is the case independently of the mpm or configs. Are you sure it always will ? > > This means that in the default configuration in wheezy, the session > ticket key is kept for one week. That is not optimal, but IMHO it is > not a severe problem either. Not sure if it is a severe problem or not, but is something worth mentioning in README.Debian IMHO. > > In 2.4.10-2, the log rotation has been changed from weekly to daily > which gives some improvement. Nice. But in 2.4 you can turn off session tickets entirely, so it's less of a problem (although worth mentioning too if that is not the default config IMHO). Thanks a lot, Rodrigo [1]: https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3c522339e0.2040...@opensslfoundation.com%3E -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
