I'm new to the list, so if this is not the correct place to make such suggestions, could someone direct me to the right one? I feel that this would be pretty important change.
On 3.4.2019 14.11, Joona Hoikkala wrote: > Hi everyone, > > Due to the option SSLSessionTickets for mod_ssl being enabled per > default, and most of the operating systems never doing restarts in > default installation, I would like to see an addition to the > documentation where secure configuration is being discussed. > > There is a notification about this in mod_ssl documentation [1], but due > to the option being enabled per default, most of the users will probably > never visit the docs there. > > So the documentation addition in SSL/TLS Strong Encryption: How-To [2] > could instruct users to either turn off the SSLSessionTickets or to > configure scheduled restarts, options out of which disabling the setting > would be preferred. > > There is a research paper [3] discussing different configuration > options, defaults and their effect to the Perfect Forward Secrecy, and > due to these observations I'd also like to additionally have a > discussion about changing the default setting for mod_ssl > SSLSessionTickets altogether. > > [1] : https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessiontickets > [2] : https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html > [3] : https://jhalderm.com/pub/papers/forward-secrecy-imc16.pdf > > -- > Thanks for considering these options, > Joona Hoikkala > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org > For additional commands, e-mail: docs-h...@httpd.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
