[apache2] 03/04: Add paragraph about session ticket keys to README.Debian

Stefan Fritsch sf at moszumanska.debian.org
Tue Dec 23 22:54:01 UTC 2014


This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch wheezy
in repository apache2.

commit 36da4bf67430dd9f44cf5dc82b2572ba47dbf1e7
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Tue Dec 23 23:41:46 2014 +0100

    Add paragraph about session ticket keys to README.Debian
---
 debian/README.Debian | 15 +++++++++++++++
 debian/changelog     |  2 ++
 2 files changed, 17 insertions(+)

diff --git a/debian/README.Debian b/debian/README.Debian
index cfe8826..b0fedaf 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -11,6 +11,8 @@ Contents
 		Enabling SSL
 		Creating self-signed certificates
 		SSL workaround for MSIE
+		ECC keys and ECDH ciphers
+		Session ticket key life-time and forward secrecy
 
 	Suexec
 	
@@ -246,6 +248,19 @@ to the SSLCipherSuite directive in /etc/apache2/mods-enabled/ssl.conf .
 A special compatibility fix for older Safari browsers is enabled if using an
 up-to-date libssl-1.0.0 (version 1.0.1e-2+deb7u8 or newer).
 
+Session ticket key life-time and forward secrecy
+------------------------------------------------
+
+Apache uses TLS session tickets to improve handshake performance. By default, a
+new session key key is (re-)generated at startup and at every graceful restart.
+This means that an attacker that somehow gets access to the memory of the
+running apache process may decrypt past connections that have used the current
+session ticket key. This breaks forward secrecy even if the used cipher would
+have provided forward secrecy. There is currently no way to change Apache's
+behavior. If you want to mitigate this kind of attack, you should consider
+increasing the frequency of graceful restarts by changing the log rotation in
+/etc/logrotate.d/apache2 from weekly to daily.
+
 
 Suexec
 ======
diff --git a/debian/changelog b/debian/changelog
index dff4e80..5ff1844 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,8 @@ apache2 (2.2.22-13+deb7u4) UNRELEASED; urgency=high
   * Fix hostname comparison with SNI to be case insensitive. Closes: #771199
   * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15).
     Closes: #773841
+  * Add paragraph about session ticket key life-time and forward secrecy to
+    README.Debian. Closes: #762619
 
  -- Stefan Fritsch <sf at debian.org>  Sun, 09 Nov 2014 14:38:26 +0100
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git



More information about the Pkg-apache-commits mailing list