Skip navigation

Twitter's TLS Forward Secrecy Implementation

23 November 2013

Jacob Hoffman-Andrews detailing Twitter's TLS session tickets implementation for session resumption with forward secrecy:

We have a set of key generator machines, of which one is the leader. The leader generates a fresh session ticket key every twelve hours and zeroes old keys after thirty-six hours. Keys are stored in tmpfs (a RAM-based filesystem), with no swap partitions configured. It's important that there be no swap, because tmpfs will use swap if available, which could write keys to long-term disk storage.

Every five minutes, our frontends fetch the latest ticket keys from a key generator machine via SSH.