sslscan icon indicating copy to clipboard operation
sslscan copied to clipboard
verified publisher icon rbsec

Add Session Ticket Test

Open jtesta opened this issue 8 years ago • 0 comments

Session tickets are known to destroy the forward secrecy properties of Diffie-Hellman. A test should be added to check if they are enabled (they are by default in most TLS implementations). Its possible to disable them in both Apache and Nginx, though there is a significant performance penalty in doing so.

TLS v1.3 does not have this problem. Perhaps once its finalized, session tickets for v1.2 can be flagged as bad.

References:

  • https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
  • https://blog.filippo.io/we-need-to-talk-about-session-tickets/

jtesta avatar Oct 03 '17 20:10 jtesta