[Ach] TLS session tickets "break" PFS

Aaron Zauner azet at azet.org
Sun Sep 28 21:13:49 CEST 2014 

* Reed Loden <reed at reedloden.com> [140924 20:02]:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 24 Sep 2014 12:24:01 +0200
> Aaron Zauner <azet at azet.org> wrote:
> 
> > Well it has to be supported by the TLS stack and webserver - for example
> > on the TLS list it was mentioned that nginx does not support this as of now.
> 
> - From the TLS list, "Right now e.g. nginx isn't rotation anything and
> shares sessions and keys among all defined servers. They are blaming
> OpenSSL for that, but that's just a library and the server should
> rotate and distribute the keys while each instance has its own library."
> 
> Not sure why that would be nginx-specific... Fairly sure Apache doesn't
> do that either. I do think that web servers should improve this
> situation somewhat (perhaps by at least supporting automagic creation
> and rotation of session ticket keys on an individual instance basis,
> leaving the clustering aspect to external means).
I read somewhere that Apache has the same issue (maybe not in the
most recent version)

> At least both Apache and nginx support ways of specifying the actual
> TLS session ticket keys (as files), which is what you need in order to
> do rotation (outside of the web server doing it itself).
Yea sure but that kind of sucks, do you really want to write a
cronjob that pipes /dev/urandom to a ephemeral ticket file? Entropy
in linux systems varies greatly by the current operations on the
system.

  1) this is something that should be mitigated by protocol design
  2) while the issue remains in TLS <= 1.2 software daemons should
     correctly handle the automatic creation and rotation of TLS
     session tickets without the need to refer to a specific file.
     implementing this both in nginx and apache is probably less
     than 100 LoC in C.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140928/e61b5cc5/attachment.sig>

More information about the Ach mailing list