httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Faidon Liambotis <parav...@debian.org>
Subject Re: TLS forward secrecy, session tickets and mod_ssl/OpenSSL
Date Wed, 21 Aug 2013 11:30:08 GMT
On Wed, Aug 21, 2013 at 12:17:28PM +0100, Joe Orton wrote:
>I can't see we can or should do much here other than adding an option
>(yay) which globally disables session ticket, SSL_OP_NO_TICKET in the
>SSL_CTX, for the paranoid.
>	
>It would be desirable (perhaps) if we could rotate keys faster than once
>the server lifetime, but this is shared state across the server so that
>is definitely non-trivial.

Unless I'm missing something, this can be mitigated externally to Apache 
by using the SSLSessionTicketKeyFile option, rotating the file 
peridocally and reloading httpd, no?

Regards,
Faidon

Mime
View raw message