Hi everyone, Due to the option SSLSessionTickets for mod_ssl being enabled per default, and most of the operating systems never doing restarts in default installation, I would like to see an addition to the documentation where secure configuration is being discussed.
There is a notification about this in mod_ssl documentation [1], but due to the option being enabled per default, most of the users will probably never visit the docs there. So the documentation addition in SSL/TLS Strong Encryption: How-To [2] could instruct users to either turn off the SSLSessionTickets or to configure scheduled restarts, options out of which disabling the setting would be preferred. There is a research paper [3] discussing different configuration options, defaults and their effect to the Perfect Forward Secrecy, and due to these observations I'd also like to additionally have a discussion about changing the default setting for mod_ssl SSLSessionTickets altogether. [1] : https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessiontickets [2] : https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html [3] : https://jhalderm.com/pub/papers/forward-secrecy-imc16.pdf -- Thanks for considering these options, Joona Hoikkala --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
