[gnutls-devel] GnuTLS | Please document session ticket key rotation (#581)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Sep 28 21:27:21 CEST 2018

New Issue was created.

Issue 581: https://gitlab.com/gnutls/gnutls/issues/581
Author:    Airtower

According to the changelog session keys are automatically rotated using a TOTP mechanism since version 3.6.4 (thanks!), but the documentation still says this in the "Session tickets" section:

> Those keys should be associated with the GnuTLS session using gnutls_session_ticket_enable_server, and should be rotated regularly (e.g., every few hours), to prevent them from becoming long-term keys which if revealed could be used to decrypt all previous sessions. 

Please add a description of the internal rotation as far as relevant at the API level. A question that is of particular concern to me is how the rotation works if a server forks after `gnutls_session_ticket_key_generate`, because that's what Apache (and with it mod_gnutls) does. Looking at `lib/stek.c` things should be fine (master key would be shared across forks as before, time should really be the same within one system), but having this explicitly documented would be helpful to application developers.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/581
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180928/dc4969ea/attachment-0001.html>

More information about the Gnutls-devel mailing list