Changeset 8d0efdc in mod_gnutls

Timestamp:

Jun 18, 2020, 4:57:32 PM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, main, master

Children:

9a26df9

Parents:

8f000b7

Message:

Disable session tickets by default

After learning that the GnuTLS key "rotation" scheme never actually
changes the primary key I'm disabling session tickets by default,
because I cannot ensure everyone will reload their servers to replace
the keys. I hope to eventually implement a real key rotation and
enable tickets by default again.

Files:

• doc/mod_gnutls_manual.md (modified) (4 diffs)
• src/gnutls_hooks.c (modified) (1 diff)
• test/tests/37_TLS_reverse_proxy_resume_session/backend.conf (modified) (1 diff)

doc/mod_gnutls_manual.md

@@ -134 +134 @@
 :   Turns off all caching of TLS sessions.
 
-    This can significantly reduce the performance of `mod_gnutls`
-    since even followup connections by a client must renegotiate
-    parameters instead of reusing old ones. This is the default, since
-    it requires no configuration.
+    This can reduce the performance of `mod_gnutls` since every
+    followup connection by a client must perform a full TLS
+    handshake. This is the default because it requires no
+    configuration.
 
     Session tickets are an alternative to using a session cache,
@@ -161 +161 @@
     GnuTLSSessionTickets [on|off]
 
-Default: `on` with GnuTLS 3.6.4 and newer, `off` otherwise\
+Default: `off`
 Context: server config, virtual host
 
@@ -174 +174 @@
 without a `GnuTLSSessionTickets` setting will use the global setting.
 
-*Warning:* With GnuTLS version before 3.6.4 the master key that
-protects the tickets is generated only on server start, and there is
-no mechanism to roll over the key. If session tickets are enabled it
-is highly recommended to restart the server regularly to protect past
-sessions in case an attacker gains access to server memory. GnuTLS
-3.6.4 introduced an automatic TOTP-based key rollover, so this warning
-does not apply any more and tickets are enabled by default.
+*Warning:* The primary key used to encrypt the tickets is generated
+while the server loads its configuration. An attacker who is able to
+read this key from server RAM may be able to decrypt past TLS 1.2
+sessions and impersonate the server to clients trying to resume
+sessions using tickets. If you enable session tickets you should
+regularly `reload` the server to generate fresh keys. Many
+distributions automatically do this during log rotation.
 
 ### GnuTLSDHFile
@@ -801 +801 @@
 issuer certificate in addition to the server's, and
 [mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html)
-is loaded. With Gnutls 3.6.4 or newer session tickets are enabled,
-too.
+is loaded.
 
 Virtual Hosts with Server Name Indication

src/gnutls_hooks.c

@@ -659 +659 @@
             sc->enabled = GNUTLS_ENABLED_FALSE;
         if (sc->tickets == GNUTLS_ENABLED_UNSET)
-        {
-            /* GnuTLS 3.6.4 introduced automatic master key rotation */
-            if (gnutls_check_version_numeric(3, 6, 4))
-                sc->tickets = GNUTLS_ENABLED_TRUE;
-            else
-                sc->tickets = GNUTLS_ENABLED_FALSE;
-        }
+            sc->tickets = GNUTLS_ENABLED_FALSE;
         if (sc->export_certificates_size < 0)
             sc->export_certificates_size = 0;

test/tests/37_TLS_reverse_proxy_resume_session/backend.conf

@@ -1 +1 @@
 Include ${PWD}/proxy_backend.conf
+GnuTLSSessionTickets on
 
 <VirtualHost _default_:${BACKEND_PORT}>