[apache2] 03/04: Add paragraph about session ticket keys to README.Debian
Stefan Fritsch
sf at moszumanska.debian.org
Tue Dec 23 22:54:01 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch wheezy
in repository apache2.
commit 36da4bf67430dd9f44cf5dc82b2572ba47dbf1e7
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Dec 23 23:41:46 2014 +0100
Add paragraph about session ticket keys to README.Debian
---
debian/README.Debian | 15 +++++++++++++++
debian/changelog | 2 ++
2 files changed, 17 insertions(+)
diff --git a/debian/README.Debian b/debian/README.Debian
index cfe8826..b0fedaf 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -11,6 +11,8 @@ Contents
Enabling SSL
Creating self-signed certificates
SSL workaround for MSIE
+ ECC keys and ECDH ciphers
+ Session ticket key life-time and forward secrecy
Suexec
@@ -246,6 +248,19 @@ to the SSLCipherSuite directive in /etc/apache2/mods-enabled/ssl.conf .
A special compatibility fix for older Safari browsers is enabled if using an
up-to-date libssl-1.0.0 (version 1.0.1e-2+deb7u8 or newer).
+Session ticket key life-time and forward secrecy
+------------------------------------------------
+
+Apache uses TLS session tickets to improve handshake performance. By default, a
+new session key key is (re-)generated at startup and at every graceful restart.
+This means that an attacker that somehow gets access to the memory of the
+running apache process may decrypt past connections that have used the current
+session ticket key. This breaks forward secrecy even if the used cipher would
+have provided forward secrecy. There is currently no way to change Apache's
+behavior. If you want to mitigate this kind of attack, you should consider
+increasing the frequency of graceful restarts by changing the log rotation in
+/etc/logrotate.d/apache2 from weekly to daily.
+
Suexec
======
diff --git a/debian/changelog b/debian/changelog
index dff4e80..5ff1844 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,8 @@ apache2 (2.2.22-13+deb7u4) UNRELEASED; urgency=high
* Fix hostname comparison with SNI to be case insensitive. Closes: #771199
* Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15).
Closes: #773841
+ * Add paragraph about session ticket key life-time and forward secrecy to
+ README.Debian. Closes: #762619
-- Stefan Fritsch <sf at debian.org> Sun, 09 Nov 2014 14:38:26 +0100
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list