httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: TLS session ticket key (shared) renewal
Date Fri, 18 Mar 2016 16:54:03 GMT
On Fri, Mar 18, 2016 at 4:20 PM, Ruediger Pluem <> wrote:
> On 03/18/2016 04:09 PM, Rainer Jung wrote:
>> Any idea about a scheme how to renew the keys between nodes in a farm in a synced
way? Finding a common point in time to
>> renew would not be the problem (assuming synced clocks), but how the regenerate keys
deterministically starting from one
>> common secret (the SSLSessionTicketKeyFile) without ending with keys which are too
> My idea would be at high level to leverage approaches that are used for one time passwords
> But I need to admit that I don't know how feasible that is at all and how usable these
approaches are for generating
> a (strong) key.

Maybe something like the following could work, and maybe also it could
be secure (any contradictory opinion is of course very welcome :)

Say each instance starts with the same configured passphrase and salt
(same too, but random and large enough, say 128bit).

At startup we generate a master key (MK) from this passphrase/salt
(using PDKF2, maybe with some reasonable #iterations), and we'll use a
derived key (DK) for session tickets.

To derive the MK into DKs (at startup or when the current DK
timeouts), let's again run PDKF2 but now with the current time as salt
(and a single iteration).

This scheme makes the DK deterministic at any time, hence provided
clocks are synchronized, each httpd instance should use the same key.

Since session tickets also need a HMAC key, we would do the same for
it (from another passphrase and salt).

I may be opportunistic about the security of this scheme, though,
please experts ring the bell :p


View raw message