Hi everyone,
Some questions came up with regards to the SSLSessionTickets and SSLSessionTicketKeyFile directives that we could not find a clear answer for. Perhaps, someone on this mailing list could help answer these questions.
# SSLSessionTickets
It says in the documentation that Apache needs to be restarted with appropriate frequency when SSLSessionTickets is enabled because Perfect Forward frequency might be compromised otherwise. [1]
While it is clear that a restart causes the ticket key to be discarded and a new one to be generated, there appears to be some confusion around whether a graceful reload is sufficient.
Here is, for example, an abbreviated discussion on Github where the topic of session tickets comes up for Apache: [2]
> szepeviktor - E.g. on Debian-based systems daily logrotate reloads Apache. *I hope a reload is enough.*
> tomato42 - IIRC reload is not sufficient, but it was a long time ago I last looked into it.
> szepeviktor - apache2ctl graceful *does* change the session ticket. [provides commands to reproduce what looks like changes to the session keys after graceful reload]
> szepeviktor - Also service apache2 reload does change the session ticket.
> tomato42 - Just because you cannot resume the session after a server reload does not mean that the ticket encryption key has changed - sessions being invalidated will have the same result
> szepeviktor - If I run it continuously the first 16 bytes don't change, only the rest. When I reload apache apache2ctl graceful then the first 16 bytes also changes. So I conclude that ticket encryption key is changed by the reload.
> tomato42 - From what I can see in openssl sources, the first 16 bytes of the ticket is the "name" of the key (essentially random data), so it changing does suggest the encryption key is changing too, but without looking into apache sources I can't tell for sure.
Here is another example, an extract of a question asked on StackOverflow, where issues came up for session resumption with TLSv1.3, where full handshakes are made after a graceful reload instead of session resumption, which appears to be a different behavior than on TLSv1.2: [3]
> USP-dos - I think this is a very common use-case ("Allow to resume ssl-sessions after graceful restart") and should work with TLSv1.3 as it does with 1.2.
Further, I could not find anything in the changelog that would indicate a change in behavior for the TLSSessionTicket directive. [4]
Am I correct to assume that Apache has to be restarted and that a graceful reload in not sufficient?
Is there a difference between the handling of session ticket keys between TLSv1.2 and TLSv1.3?
Is a graceful reload sufficient to rotate session ticket keys for TLSv1.2?
Is a graceful reload sufficient to rotate session ticket keys for TLSv1.3?
# SSLSessionTicketKeyFile
|