Package: apache2 Version: 2.4.46-1 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
When using TLS, SSLSessionTickets is enabled by default. SSLSessionTickets need frequent server reloads for Perfect Forward Secrecy, which in Debian is ensured through daily logration. That long chain of logic is not obvious, however, and a system administrator might find it sensible to adjust frequency of logrotation without being aware of the security implications. I strongly recommend to add a comment in the logrotate file warning that if the server uses TLS, then the server should be reloaded at least daily, either through logrotation or by other means. <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLSessionTickets> - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl+RvA0ACgkQLHwxRsGg ASEF5g//Ue1Inqss8Ryl3WKO4vXcF0BMDAA42kq/GTnoiVROQMb7+fwmGGZmGa30 Qz1sF9neub/5bdg6yYKu99WtTkEHPZDxa0PXhHhQYSLr0hKz7GBgIJ2Zi4qDvQJV /IWvtN6yJf8fWJns3hXOy2UitM7oGGcf/l7r6EmDn9V58o7wsAyrvanaDfBrB/QB QaHZRXnE3cStTZHKZ7NrN0mwzq21w3M/9cnMdZyWWL+LHWd+fLp67KqeCJ9LEsoh wesjxeaPRazz/3+vkpEk6a+VxUbh89O8603dES0ouWl2NPpim7J201ah/kD85Igx EfZhr+ccaMi1j6CSYYGajRxcQ+IJCqGF2HxYyrI3x4Jk8pzv7C4XMQQq86K6gj0u IjSH0feNB/YZ3pZMWYdGLIo+QVEUM87oZksZbaovl1GEdsmt1QUZE9dvDI6qMigV 6XQMLZtuqnfnHT7+nt2z5GVDApI8AUQs1wGe+kqVowbiyxVfj3VDh8FGev1GalnO ZrceW73s70s9wlSCos9RctIBs37Soc5DcfJFPXNzcH0z49vf+y5fVyEMpU+w4llR vaJ0Qz4ZC3wQi6SYWWXawaHB9DgXSX4ywjXYbWUaCGB4sZTjjuukxWpFHuE/7v8G YUgOvlA5eCl6hGD0MgGexRMDC6pb8kcC5reNiF9DqY5KbDGE858= =w4os -----END PGP SIGNATURE-----