Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CC08410A4A for ; Wed, 21 Aug 2013 11:18:04 +0000 (UTC) Received: (qmail 38483 invoked by uid 500); 21 Aug 2013 11:18:04 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 38071 invoked by uid 500); 21 Aug 2013 11:17:59 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 38063 invoked by uid 99); 21 Aug 2013 11:17:57 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Aug 2013 11:17:57 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Aug 2013 11:17:52 +0000 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r7LBHTIj017700 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 21 Aug 2013 07:17:30 -0400 Received: from iberis.manyfish.co.uk (vpn-56-36.rdu2.redhat.com [10.10.56.36]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r7LBHSXW011132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 21 Aug 2013 07:17:29 -0400 Received: from jorton by iberis.manyfish.co.uk with local (Exim 4.80.1) (envelope-from ) id 1VC6Po-0002PF-9L for dev@httpd.apache.org; Wed, 21 Aug 2013 12:17:28 +0100 Date: Wed, 21 Aug 2013 12:17:28 +0100 From: Joe Orton To: dev@httpd.apache.org Subject: TLS forward secrecy, session tickets and mod_ssl/OpenSSL Message-ID: <20130821111727.GA7331@redhat.com> Mail-Followup-To: dev@httpd.apache.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.21 (2010-09-15) Organization: Registered in England and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Mark Hegarty (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Virus-Checked: Checked by ClamAV on apache.org Florent Daigniere presented on this at Black Hat. Paper: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf‎ Slides: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf Short Summary: Use of session tickets (enabled by default in OpenSSL) reduces effectiveness of TLS forward secrecy, because the keys used to generate tickets survive for the lifetime of the httpd process. So if you have access to the httpd process you can retrieve the keys used to generate session tickets. I can't see we can or should do much here other than adding an option (yay) which globally disables session ticket, SSL_OP_NO_TICKET in the SSL_CTX, for the paranoid. It would be desirable (perhaps) if we could rotate keys faster than once the server lifetime, but this is shared state across the server so that is definitely non-trivial. Any opinions here? Regards, Joe