Bug#762619: apache2: Don't let TLS session tickets botch PFS
On Tuesday 23 September 2014 20:30:04, Rodrigo Campos wrote:
> I tried to do some tests to see if maybe a reload was enough
> (doesn't cause downtime :)) to re-generate the randomly generated
> session ticket key at startup. But let me be very clear about
> this: I'm not a security expert (far from that) nor I have any deep
> knowledge of TLS, session resumption, etc. I just did some tests
> that I'm not 100% sure what they mean.
Yes, a graceful reload is enough to generate a new session ticket key.
See http://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52248C40.7070206%40opensslfoundation.com%3E
This means that in the default configuration in wheezy, the session
ticket key is kept for one week. That is not optimal, but IMHO it is
not a severe problem either.
In 2.4.10-2, the log rotation has been changed from weekly to daily
which gives some improvement.
Reply to: