DE

How to Harden TLS Session Resumption

In this article:

The TLS session resumption functionality is misconfigured. This opens attackers the possibility to steal existing TLS sessions from other users.



TLS Session Resumption Security Assessment

Security Assessment Increase TLS Key Size

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

This article contains guidelines and code snippets for Apache and Nginx on fixing TLS Session Resumption security vulnerabilities.

TLS Session Resumption Vulnerability Information

The TLS session resumption functionality is misconfigured. This opens attackers the possibility to steal existing TLS sessions from other users.

Generally, the TLS session resumption functionality speeds up client reconnections, as no full TLS handshake needs to occur. Instead, a value known from a previous session is used to verify the authenticity of the connection. However, if the server does not properly rotate or renew its secrets, the session resumption breaks perfect forward secrecy.

Prevention Guide for SSL/TLS Vulnerabilities

Prevention Guide

Learn how to detect and prevent different kinds of SSL/TLS vulnerabilities.

Download

How to Harden TLS Session Resumption

To disable TLS session resumption, follow one of our guides. Further possibilities exist to harden the session resumption feature but are based on scheduled restarts of the webserver. Relate to the “Further Reading” for more information.

Apache

On Apache you need insert the SSLOpenSSLConfCmd directive into the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf:

<IfModule mod_ssl.c>
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
    <VirtualHost *:443>
 
            ServerAdmin webmaster@localhost
            ServerName example.com 
            DocumentRoot /var/www
    
            SSLEngine on

            SSLCertificateFile /etc/ssl/new.pem
            SSLCertificateKeyFile /etc/ssl/privkey.key


            SSLOpenSSLConfCmd Options -SessionTicket
    </VirtualHost>
</IfModule>

Nginx

For Nginx, update the configuration file which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS). Add thessl_session_ticketsdirective to the server section:

server {
         listen   443;
         server_name example.org;

         root /usr/share/nginx/www;
         index index.html index.htm;

         ssl on;
         ssl_certificate /etc/ssl/new;
         ssl_certificate_key /etc/ssl/privkey.key;


         ssl_session_tickets off;
}

To meet these security goals, we first start an in-memory key generator daemon that generates a fresh, timestamped key every hour. Keys are encrypted so that only our Nginx servers can decrypt them. Then with CloudFlare’s existing secure data propagation infrastructure, ticket keys replicate from one master instance to any or all of our PoPs around the world.

Each host periodically queries the local copy of the database through a Memcached interface for fresh encryption keys for this hour. To summarize, the key generation daemon generates keys randomly. It rotates them hourly, and keys are securely distributed to any or all hosts across the world without being written to disk.

There are some technical details still worth mentioning. First, we want to tackle distributed clock synchronization.

As an example, there may well be one host who thinks it is UTC 12:01 pm while other hosts still think it is UTC 11:59 am, the faster-clock host might start encrypting session tickets with the key of 12:00 pm while other hosts couldn’t decrypt those tickets because they don’t know the new key yet. Or the fast-clock host might find the key’s not yet available due to propagation delay. Instead of dedicating efforts to synchronization, we solve the problem by breaking the synchronization requirement.

The key daemon generates keys one hour ahead, and each host would opportunistically save the key for the next hour (if there’s any) as a decryption-only key. So now, even with one or more faster-clock hosts, session resumption by ticket still works without interruption because they will still decrypt session tickets encrypted by the other.

Also, we set the session ticket lifetime hint to be 18 hours, the same value for SSL session timeout. This is because each server also keeps ticket keys for the past 18 hours for ticket decryption.

Get a quick security audit of your website for free now

We are analyzing https://example.com
Scanning target https://example.com
Scan status: In progress
Scan target: http://example.com/laskdlaksd/12lklkasldkasada.a
Date: 23/09/2022
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.