Florent Daigniere presented on this at Black Hat.
Paper: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
Slides: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
Short Summary: Use of session tickets (enabled by default in OpenSSL)
reduces effectiveness of TLS forward secrecy, because the keys used to
generate tickets survive for the lifetime of the httpd process. So if
you have access to the httpd process you can retrieve the keys used to
generate session tickets.
I can't see we can or should do much here other than adding an option
(yay) which globally disables session ticket, SSL_OP_NO_TICKET in the
SSL_CTX, for the paranoid.
It would be desirable (perhaps) if we could rotate keys faster than once
the server lifetime, but this is shared state across the server so that
is definitely non-trivial.
Any opinions here?
Regards, Joe
