httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: TLS forward secrecy, session tickets and mod_ssl/OpenSSL
Date Sun, 01 Sep 2013 12:58:08 GMT
On 01/09/2013 12:36, Stefan Fritsch wrote:
> Am Mittwoch, 21. August 2013, 12:37:53 schrieb Dr Stephen Henson:
>>> It would be desirable (perhaps) if we could rotate keys faster
>>> than once  the server lifetime, but this is shared state across
>>> the server so that is definitely non-trivial.
>> Yes you'd need a shared cache if the key couldn't be found locally
>> and renew it periodically. A bit like how OCSP stapling works IIRC.
>>From the httpd code it is not obvious to me, so I ask: Is the current 
> behavior to only generate the ticket key at server startup or is it 
> regenerated at at every graceful restart? If the former, would 
> changing the behavior to the latter make sense? That would give a key 
> lifetime of 1 day for all setups that do logrotate with a graceful 
> restart.

By default OpenSSL will create one set of ticket keys per SSL_CTX, though they
can be set or read by API calls. So if a graceful restart frees up and
reallocates the SSL_CTX structure then you'll get new keys. I'm not sure it does.

If SSLSessionTicketKeyFile is set then that is used instead though.

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message