You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Joona Hoikkala <jo...@eff.org> on 2019/04/03 11:11:32 UTC
Request for addition to document: SSL/TLS Strong Encryption: How-To
Hi everyone,
Due to the option SSLSessionTickets for mod_ssl being enabled per
default, and most of the operating systems never doing restarts in
default installation, I would like to see an addition to the
documentation where secure configuration is being discussed.
There is a notification about this in mod_ssl documentation [1], but due
to the option being enabled per default, most of the users will probably
never visit the docs there.
So the documentation addition in SSL/TLS Strong Encryption: How-To [2]
could instruct users to either turn off the SSLSessionTickets or to
configure scheduled restarts, options out of which disabling the setting
would be preferred.
There is a research paper [3] discussing different configuration
options, defaults and their effect to the Perfect Forward Secrecy, and
due to these observations I'd also like to additionally have a
discussion about changing the default setting for mod_ssl
SSLSessionTickets altogether.
[1] : https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessiontickets
[2] : https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
[3] : https://jhalderm.com/pub/papers/forward-secrecy-imc16.pdf
--
Thanks for considering these options,
Joona Hoikkala
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Request for addition to document: SSL/TLS Strong Encryption:
How-To
Posted by Joona Hoikkala <jo...@eff.org>.
I'm new to the list, so if this is not the correct place to make such
suggestions, could someone direct me to the right one? I feel that this
would be pretty important change.
On 3.4.2019 14.11, Joona Hoikkala wrote:
> Hi everyone,
>
> Due to the option SSLSessionTickets for mod_ssl being enabled per
> default, and most of the operating systems never doing restarts in
> default installation, I would like to see an addition to the
> documentation where secure configuration is being discussed.
>
> There is a notification about this in mod_ssl documentation [1], but due
> to the option being enabled per default, most of the users will probably
> never visit the docs there.
>
> So the documentation addition in SSL/TLS Strong Encryption: How-To [2]
> could instruct users to either turn off the SSLSessionTickets or to
> configure scheduled restarts, options out of which disabling the setting
> would be preferred.
>
> There is a research paper [3] discussing different configuration
> options, defaults and their effect to the Perfect Forward Secrecy, and
> due to these observations I'd also like to additionally have a
> discussion about changing the default setting for mod_ssl
> SSLSessionTickets altogether.
>
> [1] : https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessiontickets
> [2] : https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
> [3] : https://jhalderm.com/pub/papers/forward-secrecy-imc16.pdf
>
> --
> Thanks for considering these options,
> Joona Hoikkala
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
> For additional commands, e-mail: docs-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org