[daemon13]

Since everybody is getting funky about PFS...

Julien, do you have any news to address this Adam's point:

>> So how do you run forward secrecy with several servers and support session tickets? You need to generate session ticket keys randomly, distribute them to the servers without ever touching persistent storage and rotate them frequently. However, I'm not aware of any open source servers that support anything like that.

[0] https://www.imperialviolet.org/2013/06/27/botchingpfs.html

[jvehent]

Nginx has a patch to store them in memcache, for what it's worth. It's far from ideal, but at least it's not persistent storage. The standard is still to point clients to a single termination endpoint, and do active/passive cluster, so that there's no need to share the session tickets.

I still believe that using PFS, even with this limitation, is safer than encrypting pre-master keys with a single private key that almost never rotates and is stored on plenty of servers.

[daemon13]

thank you for update

>> I still believe that using PFS, even with this limitation, is safer ...

I definitely agree, the problem is that usually there is more than 1 web server :-)

>> The standard is still to point clients to a single termination endpoint, and do active/passive cluster, so that there's no need to share the session tickets.

Sorry, I did not understand (esp. the active/passive cluster thing) - could you please may be add some pointers (blog post, etc) with more details?

[zobzu]

That's a good point about master keys. The state is pretty bad with Apache for example, and I'm not sure its much better with nginx at least by default.

I think that what he means is that you terminate SSL on the load balancers (= single termination endpoint), then have your cluster beneath it (non-SSL/TLS, or new SSL/TLS connection, thus different tickets)

[daemon13]

a-ha, got it, thanks :)

true, esp if use HaProxy as LB