Opened 10 years ago
Closed 8 years ago
#389 closed enhancement (fixed)
Enable HTTPS perfect forward secrecy
Reported by: | andersk | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
This is complicated by the requirement to keep SSLSessionTicketKeyFile out of persistent storage, rotate it frequently, and synchronize it across servers. It would also be nice to remember the last N old keys so that each rotation doesn’t force every user to establish a new SSL session. We’ll probably need to do some Apache development.
https://www.imperialviolet.org/2013/06/27/botchingpfs.html https://blog.twitter.com/2013/forward-secrecy-at-twitter-0
Change History (3)
comment:1 Changed 10 years ago by quentin
comment:2 Changed 10 years ago by andersk
- Summary changed from Enable HTTPS perfect forward secrecy to Enable cross-server SSL session resumption
We forced on perfect forward secrecy in all supporting browsers in r2621; retitling appropriately.
comment:3 Changed 8 years ago by andersk
- Resolution set to fixed
- Status changed from new to closed
- Summary changed from Enable cross-server SSL session resumption to Enable HTTPS perfect forward secrecy
Cross-server SSL session resumption is #339.
With our load-balancing regime that causes people to continue to hit the same server as long as it's up, why do we need to synchronize it across our servers? It seems like we could just pay the extra round-trip penalty if they get rebalanced, and avoid this mess.