Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 04 Feb 2015 17:55:34 +0100
From: Florent Daigniere <>
Subject: Re: Apache 2.4 mod_ssl SSLSessionTickets -- others

On Wed, 2015-02-04 at 10:35 -0600, Mark Felder wrote:
> From the 2.4.12 changelog:
>   *) mod_ssl: New directive SSLSessionTickets (On|Off).
>      The directive controls the use of TLS session tickets (RFC 5077),
>      default value is "On" (unchanged behavior).
>      Session ticket creation uses a random key created during web
>      server startup and recreated during restarts. No other key
>      recreation mechanism is available currently. Therefore using
>      session
>      tickets without restarting the web server with an appropriate
>      frequency
>      (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
> So if you use Apache 2.4 and care about PFS protecting your data, you
> should turn this feature off. This appears to be an implementation issue
> because there is no other way for Apache to recreate keys. I don't know
> a lot about the fine details of Session Tickets, but can anyone care to
> comment if there are other known bad implementations of session tickets
> out there? Does this affect Apache 2.2? Nginx? Lighttpd?
> Thanks
> I find this bizarre that a known security weakness like this is left
> "on" by default...

You're right, it's "bizarre"

I've tried to make some noise about it two years ago [1] ... 

IMHO it's OpenSSL's default that should be changed. The server
implementation shouldn't give a ticket if it's picked a PFS enabled
cipher (or a cipher which aims at providing better security than
AES128-CBC) unless explicitly told to do so (the case where there is
more than one server).

Apache HTTPd's new setting (SSLSessionTicketKeyFile), allowing you to
set the ticket key is *DANGEROUS* as documented [1]. It encourages users
explicitly to store the key on a forensically carvable medium...
"The ticket key file contains sensitive keying material and should be
protected with file permissions similar to those used for
Which is exactly what you shouldn't do!



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ