Bug#972695: apache2: logrotate config should mention the importance for TLS of daily rotation

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#972695: apache2: logrotate config should mention the importance for TLS of daily rotation
From: Jonas Smedegaard <dr@jones.dk>
Date: Thu, 22 Oct 2020 19:06:24 +0200
Message-id: <[🔎] 160338638451.1894225.3544879749260328766.reportbug@auryn.jones.dk>
Reply-to: Jonas Smedegaard <dr@jones.dk>, 972695@bugs.debian.org

Package: apache2
Version: 2.4.46-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

When using TLS, SSLSessionTickets is enabled by default.

SSLSessionTickets need frequent server reloads for Perfect Forward Secrecy,
which in Debian is ensured through daily logration.

That long chain of logic is not obvious, however,
and a system administrator might find it sensible to adjust frequency
of logrotation without being aware of the security implications.

I strongly recommend to add a comment in the logrotate file
warning that if the server uses TLS, then the server should be reloaded
at least daily, either through logrotation or by other means.

<https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLSessionTickets>

 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl+RvA0ACgkQLHwxRsGg
ASEF5g//Ue1Inqss8Ryl3WKO4vXcF0BMDAA42kq/GTnoiVROQMb7+fwmGGZmGa30
Qz1sF9neub/5bdg6yYKu99WtTkEHPZDxa0PXhHhQYSLr0hKz7GBgIJ2Zi4qDvQJV
/IWvtN6yJf8fWJns3hXOy2UitM7oGGcf/l7r6EmDn9V58o7wsAyrvanaDfBrB/QB
QaHZRXnE3cStTZHKZ7NrN0mwzq21w3M/9cnMdZyWWL+LHWd+fLp67KqeCJ9LEsoh
wesjxeaPRazz/3+vkpEk6a+VxUbh89O8603dES0ouWl2NPpim7J201ah/kD85Igx
EfZhr+ccaMi1j6CSYYGajRxcQ+IJCqGF2HxYyrI3x4Jk8pzv7C4XMQQq86K6gj0u
IjSH0feNB/YZ3pZMWYdGLIo+QVEUM87oZksZbaovl1GEdsmt1QUZE9dvDI6qMigV
6XQMLZtuqnfnHT7+nt2z5GVDApI8AUQs1wGe+kqVowbiyxVfj3VDh8FGev1GalnO
ZrceW73s70s9wlSCos9RctIBs37Soc5DcfJFPXNzcH0z49vf+y5fVyEMpU+w4llR
vaJ0Qz4ZC3wQi6SYWWXawaHB9DgXSX4ywjXYbWUaCGB4sZTjjuukxWpFHuE/7v8G
YUgOvlA5eCl6hGD0MgGexRMDC6pb8kcC5reNiF9DqY5KbDGE858=
=w4os
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Bug#972632: apache2: please provide compression snippet to support brotli (not only deflate)
Next by Date: Control del vehículo
Previous by thread: Bug#972632: apache2: please provide compression snippet to support brotli (not only deflate)
Next by thread: Control del vehículo
Index(es):
- Date
- Thread