On 05 Dec 2015, at 11:32, Gerhard Wiesinger <lists at wiesinger.com> wrote:> > Is it possible to configure the secure session caching mechanism? > e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginxI remember hearing about various security vulnerabilities in that earlier.. I guess they're fixed now then, unless people find more ways to exploit it. Anyway I'm not sure how useful it would actually even be for most IMAP/POP3 servers, because most clients don't connect all that often. Or I guess it might help some clients that create multiple connections immediately. Then again, we are planning on adding some HTTP(S)-based services to Dovecot and there it would likely be more useful. So I guess it gets implemented at some point.
On 06.12.2015 13:10, Timo Sirainen wrote:> On 05 Dec 2015, at 11:32, Gerhard Wiesinger <lists at wiesinger.com> wrote: >> Is it possible to configure the secure session caching mechanism? >> e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx > I remember hearing about various security vulnerabilities in that earlier.. I guess they're fixed now then, unless people find more ways to exploit it. Anyway I'm not sure how useful it would actually even be for most IMAP/POP3 servers, because most clients don't connect all that often. Or I guess it might help some clients that create multiple connections immediately. > > Then again, we are planning on adding some HTTP(S)-based services to Dovecot and there it would likely be more useful. So I guess it gets implemented at some point. > >Session tickets are broken by DESIGN as they violate PFS (Perfect Forward Secrecy). If you can steal one AES key (all session tickets are encrypted for server lifetime with only one key) you can decrypt ALL sessions ever made with session tickets for the future. This violates PFS (Perfect Forward Secrecy) as only server side "parameters" are relevant from now on. Yes, session caching should reduce server load on multiple connections. See e.g. https://community.qualys.com/thread/15768 Therefore it would be great if you could implement the secure session caching mechanism. As Gedalya mentioned OCSP would be great, too. Ciao, Gerhard
On 12/06/2015 07:19 AM, Gerhard Wiesinger wrote:> Session tickets are broken by DESIGN as they violate PFS (Perfect > Forward Secrecy). If you can steal one AES key (all session tickets > are encrypted for server lifetime with only one key) you can decrypt > ALL sessions ever made with session tickets for the future.I'm in no way an expert or an authority, but it is my understanding that there being only one key for the server's lifetime is not exactly by design, rather (sloppy) implementation. See [0] as an example of at least a discussion on key rotation or even smooth rollover. Perhaps in a perfect world, those who don't find a session cache suitable could instead use a better implementation of session tickets. Until of course someone takes security shaming to the next level and declares session tickets unconditionally evil. Notably, Qualys isn't doing that yet. Even Google is currently otherwise engaged. Superficially speaking, both approaches sound like a matter of securing server memory space and rotating things out frequently. [0] http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004373.html