httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: TLS forward secrecy, session tickets and mod_ssl/OpenSSL
Date Sun, 01 Sep 2013 12:58:08 GMT
On 01/09/2013 12:36, Stefan Fritsch wrote:
> Am Mittwoch, 21. August 2013, 12:37:53 schrieb Dr Stephen Henson:
>>> It would be desirable (perhaps) if we could rotate keys faster
>>> than once  the server lifetime, but this is shared state across
>>> the server so that is definitely non-trivial.
>>>
>>>
>>
>> Yes you'd need a shared cache if the key couldn't be found locally
>> and renew it periodically. A bit like how OCSP stapling works IIRC.
> 
>>From the httpd code it is not obvious to me, so I ask: Is the current 
> behavior to only generate the ticket key at server startup or is it 
> regenerated at at every graceful restart? If the former, would 
> changing the behavior to the latter make sense? That would give a key 
> lifetime of 1 day for all setups that do logrotate with a graceful 
> restart.
> 
> 

By default OpenSSL will create one set of ticket keys per SSL_CTX, though they
can be set or read by API calls. So if a graceful restart frees up and
reallocates the SSL_CTX structure then you'll get new keys. I'm not sure it does.

If SSLSessionTicketKeyFile is set then that is used instead though.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message