On Wed, Aug 21, 2013 at 12:17:28PM +0100, Joe Orton wrote:
I can't see we can or should do much here other than adding an option
(yay) which globally disables session ticket, SSL_OP_NO_TICKET in the
SSL_CTX, for the paranoid.
It would be desirable (perhaps) if we could rotate keys faster than once
the server lifetime, but this is shared state across the server so that
is definitely non-trivial.
Unless I'm missing something, this can be mitigated externally to Apache
by using the SSLSessionTicketKeyFile option, rotating the file
peridocally and reloading httpd, no?
Regards,
Faidon
