Go: crypto/tls: rotate session ticket keys

Created on 4 May 2018 · 5Comments · Source: golang/go

When crypto/tls autogenerates session ticket keys, it should also automatically rotate them (with some window of overlap) for forward secrecy.

Split from #19199

NeedsFix

Source

FiloSottile

👍8

Most helpful comment

This has been fixed.

katiehockman on 8 May 2020

🎉3

All 5 comments

Let's do this, this is probably the biggest forward secrecy liability of a default crypto/tls server.

I am thinking of deprecating SessionTicketKey in favor of SetSessionTicketKeys, still randomizing it but not using it if it's zero and instead doing a periodic rotation, and of course still using it if set.

FiloSottile on 1 Oct 2019

👍1

Change https://golang.org/cl/230679 mentions this issue: crypto/tls: rotate session ticket keys

gopherbot on 28 Apr 2020

Change https://golang.org/cl/231317 mentions this issue: crypto/tls: rotate session keys

gopherbot on 1 May 2020

This has been fixed.

katiehockman on 8 May 2020

🎉3

Change https://golang.org/cl/235922 mentions this issue: crypto/tls: test that Clone copies session ticket key fields

gopherbot on 1 Jun 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

x/net/webdav: fails on broken links

enoodle · 3Comments

x/build/cmd/coordinator: ssh proxy should support scp

bradfitz · 3Comments

Proposal: supporting “symlinks” in GOPATH

myitcv · 3Comments

cannot find package "golang.org/x/sys/unix"

jayhuang75 · 3Comments

x/net/proxy: Non-SOCKS ALL_PROXY results in proxy: unknown scheme: http

bbodenmiller · 3Comments