Visiting the documentation for the Apache 2.4
mod_ssl configuration https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessiontickets, the following warning is included:
TLS session tickets are enabled by default. Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.
Until a proper automated key rotation mechanism is built into
mod_ssl it seems like turning session tickets off is sensible. Just add:
mod_ssl configuration file located at
Instead of session tickets (which offload much of SSL session state info to the client), the ssl session will fallback to session IDs, which are set to be cached by default via the mod_socache_shmcb in the default
Here is a good SO post with a bit more info. Once Apache rolls out a key rotation solution that doesn't rely on the apache server being restarted manually every day, it's probably best to turn
SSLSessionTickets back on.