On Τετάρτη, 11 Μαρτίου 2020 9:10:56 Π.Μ. CET Lukas Tribus wrote:
> Hello,
>
> On Wed, 11 Mar 2020 at 08:32, Илья Шипицин wrote:
> >> On 09.03.20 20:37, Lukas Tribus wrote:
> >> >> I think the wording from the patch is still quite relaxed :). One of
> >> >> the best
> >> >> summaries describing t
On Wed, Mar 11, 2020 at 09:10:56AM +0100, Lukas Tribus wrote:
> As for automatic key rotation features, I'm not aware of anyone doing
> this by default, expect some niche projects (Caddy I believe does
> this). Not nginx, not Apache. These are features that someone has to
> actually develop.
And i
Hello,
On Wed, 11 Mar 2020 at 08:32, Илья Шипицин wrote:
>> On 09.03.20 20:37, Lukas Tribus wrote:
>> >> I think the wording from the patch is still quite relaxed :). One of the
>> >> best
>> >> summaries describing the session ticket flaws, which I recommend is this:
>> >> https://blog.filippo.
ср, 11 мар. 2020 г. в 04:09, Björn Jacke :
> On 09.03.20 20:37, Lukas Tribus wrote:
> >> I think the wording from the patch is still quite relaxed :). One of
> the best
> >> summaries describing the session ticket flaws, which I recommend is
> this:
> >> https://blog.filippo.io/we-need-to-talk-abo
On Wed, Mar 11, 2020 at 12:06:45AM +0100, Björn Jacke wrote:
> On 09.03.20 20:37, Lukas Tribus wrote:
> >> I think the wording from the patch is still quite relaxed :). One of the
> >> best
> >> summaries describing the session ticket flaws, which I recommend is this:
> >> https://blog.filippo.io/
On 09.03.20 20:37, Lukas Tribus wrote:
>> I think the wording from the patch is still quite relaxed :). One of the best
>> summaries describing the session ticket flaws, which I recommend is this:
>> https://blog.filippo.io/we-need-to-talk-about-session-tickets/
> Nothing about this is a MITM attac
Hello,
On Tue, 10 Mar 2020 at 07:36, Илья Шипицин wrote:
>> > if you specify, your security team will tell you that "it is not secure".
>> > if you do not specify, keys are generated on startup and it lead to huge
>> > CPU spike on app reload (if you apply new config, app is reloaded and keys
вт, 10 мар. 2020 г. в 05:37, Lukas Tribus :
> Hello,
>
>
> On Mon, 9 Mar 2020 at 20:39, Илья Шипицин wrote:
> >> I would disable session tickets by default in haproxy. Given that most
> >> clients support TLS 1.3 already this change would not even slow down
> many
> >> clients.
> >
> >
> > TLS ti
Hello,
On Mon, 9 Mar 2020 at 20:39, Илья Шипицин wrote:
>> I would disable session tickets by default in haproxy. Given that most
>> clients support TLS 1.3 already this change would not even slow down many
>> clients.
>
>
> TLS tickets really require more love :)
>
> actually, there are two bad
пн, 9 мар. 2020 г. в 23:21, Björn Jacke :
> On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off:
> > Perhaps we can relax the wording a bit here and describe the actual
> > technical issue along with some recommendations. Apache for example
> > documents [1]:
>
> I think the wording from the patch
On Mon, 9 Mar 2020 at 19:18, Björn Jacke wrote:
>
> On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off:
> > Perhaps we can relax the wording a bit here and describe the actual
> > technical issue along with some recommendations. Apache for example
> > documents [1]:
>
> I think the wording from th
пн, 9 мар. 2020 г. в 23:59, Willy Tarreau :
> On Mon, Mar 09, 2020 at 07:18:23PM +0100, Björn Jacke wrote:
> > On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off:
> > > Perhaps we can relax the wording a bit here and describe the actual
> > > technical issue along with some recommendations. Apache
On Mon, Mar 09, 2020 at 07:18:23PM +0100, Björn Jacke wrote:
> On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off:
> > Perhaps we can relax the wording a bit here and describe the actual
> > technical issue along with some recommendations. Apache for example
> > documents [1]:
>
> I think the word
On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off:
> Perhaps we can relax the wording a bit here and describe the actual
> technical issue along with some recommendations. Apache for example
> documents [1]:
I think the wording from the patch is still quite relaxed :). One of the best
summaries d
Hi Lukas,
On Mon, Mar 09, 2020 at 05:44:59PM +0100, Lukas Tribus wrote:
> > + The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
> > + man-in-the-middle attacks. You should consider to disable them for
> > + security reasons. TLS 1.3 implements more secure methods for session
>
Hello,
On Mon, 9 Mar 2020 at 11:23, PR Bot wrote:
>
> Dear list!
>
> Author: Björn Jacke
> Number of patches: 2
>
> This is an automated relay of the Github pull request:
>Docs tls tickets
>
> Patch title(s):
>BUG/MINOR: fix typo of tls-tickets
>DOC: improve description of no-tls-ti
16 matches
Mail list logo
