On 01/09/2013 12:36, Stefan Fritsch wrote:
>
>>From the httpd code it is not obvious to me, so I ask: Is the current
> behavior to only generate the ticket key at server startup or is it
> regenerated at at every graceful restart? If the former, would
> changing the behavior to the latter make sense? That would give a key
> lifetime of 1 day for all setups that do logrotate with a graceful
> restart.
>
I've done some tests on my setup and a graceful restart does use new ticket
keys. This can be tested by connecting to the server using "openssl s_client"
e.g "openssl s_client -connect www.myhost.com:443"
Among lots of other stuff you'll get this:
TLS session ticket:
0000 - 22 c5 f3 4b 01 7a 8b 5f-85 50 47 6f 3e 79 1a cb "..K.z._.PGo>y..
0010 - 20 41 77 b5 35 c7 68 52-c9 df 1c ab 16 49 cf b0 Aw.5.hR.....I..
0020 - 40 e1 9c b0 cc f7 99 96-49 fe 00 93 10 36 13 5e @.......I....6.^
0030 - c9 4f b2 8e 17 b2 f9 b4-0e 9e 86 84 d2 aa 75 4c .O............uL
0040 - 56 50 3b c2 75 9f 89 fd-d9 31 6a 78 62 68 d4 f2 VP;.u....1jxbh..
0050 - eb f5 b4 63 60 4c 74 3b-e9 37 c7 b8 b5 d7 ee 16 ...c`Lt;.7......
0060 - c9 02 af 24 12 6c 57 4e-65 cb 5e 99 60 cf 7d b4 ...$.lWNe.^.`.}.
0070 - 1c 36 1e 53 3c f8 2b c2-7e 65 67 75 58 e3 20 d4 .6.S<.+.~eguX. .
0080 - b4 3e 14 48 99 1e 0c e5-c8 9d 4b a3 c1 78 bc 61 .>.H......K..x.a
0090 - 25 c3 ac af e5 2c 90 bc-de a7 95 51 d0 f9 31 36 %....,.....Q..16
00a0 - 08 63 b6 41 c0 b3 09 29-2c 6a 2f bd fc c7 b6 12 .c.A...),j/.....
00b0 - 85 77 2f f5 8e 07 27 f9-c4 f4 9f d8 7b 0b 9b cf .w/...'.....{...
The first 0x10 bytes of the ticket are a key identifier value which is generated
randomly when ticket keys are created. So if you make several connections to the
same server you'll get those same 0x10 bytes at the start.
If you then perform a graceful restart and connect again those 0x10 bytes should
be different.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
[email protected]
