> -----Original Message----- > From: Joe Orton > Sent: Mittwoch, 21. August 2013 13:17 > To: [email protected] > Subject: TLS forward secrecy, session tickets and mod_ssl/OpenSSL > > Short Summary: Use of session tickets (enabled by default in OpenSSL) > reduces effectiveness of TLS forward secrecy, because the keys used to > generate tickets survive for the lifetime of the httpd process. So if > you have access to the httpd process you can retrieve the keys used to > generate session tickets. > > I can't see we can or should do much here other than adding an option > (yay) which globally disables session ticket, SSL_OP_NO_TICKET in the > SSL_CTX, for the paranoid.
+1, to be able to disable it by a directive at least until something better is in place. Regards Rüdiger
