Opened 8 years ago

Closed 6 years ago

#389 closed enhancement (fixed)

Enable HTTPS perfect forward secrecy

Reported by: andersk Owned by:
Priority: minor Milestone:
Component: web Keywords:
Cc:

Description

This is complicated by the requirement to keep SSLSessionTicketKeyFile out of persistent storage, rotate it frequently, and synchronize it across servers. It would also be nice to remember the last N old keys so that each rotation doesn’t force every user to establish a new SSL session. We’ll probably need to do some Apache development.

https://www.imperialviolet.org/2013/06/27/botchingpfs.html https://blog.twitter.com/2013/forward-secrecy-at-twitter-0

Change History (3)

comment:1 Changed 8 years ago by quentin

With our load-balancing regime that causes people to continue to hit the same server as long as it's up, why do we need to synchronize it across our servers? It seems like we could just pay the extra round-trip penalty if they get rebalanced, and avoid this mess.

comment:2 Changed 7 years ago by andersk

  • Summary changed from Enable HTTPS perfect forward secrecy to Enable cross-server SSL session resumption

We forced on perfect forward secrecy in all supporting browsers in r2621; retitling appropriately.

comment:3 Changed 6 years ago by andersk

  • Resolution set to fixed
  • Status changed from new to closed
  • Summary changed from Enable cross-server SSL session resumption to Enable HTTPS perfect forward secrecy

Cross-server SSL session resumption is #339.

Note: See TracTickets for help on using tickets.