Pages

[jimski]

When dealing with mod_socache_redis,  mod_socache_memcache and other SSLSession caching methods the following security measures should be taken under consideration.

Although I'm not aware of any specific attack conducted with the method described below, there is a potential weakness in OpenSSL related to session tickets. Currently OpenSSL doesn't allow limit for session tickets' lifetime. A new ticket key only gets generated when starting the web server and that key is continuously used until next restart.

This can lead to a potential exploit if an attacker figures out the key then that key can be used to decrypt any previous and future tickets until Apache is restarted. If you guys plan to use SSL session cache then you may want to consider restarting Apache once a while (preferable every day although my servers restart just once a week) using a task scheduler or cron.

Also, do not specify the SSLSessionTicketFile directive or comment it out. This will force Apache to auto generate a new ticket key on each restart.

This is not a huge weakness as decrypting or figuring out ticket keys is not an easy task, but it should be taken under consideration because some servers can run for months or years without a restart which may give an attacker enough time to figure out the ticket key.