httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com>
Subject RE: TLS forward secrecy, session tickets and mod_ssl/OpenSSL
Date Wed, 21 Aug 2013 11:22:52 GMT


> -----Original Message-----
> From: Joe Orton > Sent: Mittwoch, 21. August 2013 13:17
> To: dev@httpd.apache.org
> Subject: TLS forward secrecy, session tickets and mod_ssl/OpenSSL
> 
> Short Summary: Use of session tickets (enabled by default in OpenSSL)
> reduces effectiveness of TLS forward secrecy, because the keys used to
> generate tickets survive for the lifetime of the httpd process.  So if
> you have access to the httpd process you can retrieve the keys used to
> generate session tickets.
> 
> I can't see we can or should do much here other than adding an option
> (yay) which globally disables session ticket, SSL_OP_NO_TICKET in the
> SSL_CTX, for the paranoid.

+1, to be able to disable it by a directive at least until something better is in place.

Regards

Rüdiger
Mime
View raw message