After some reads about PFS and one Black Hat 2013 session, for what i understand:
Session Tickets can compromise the Forward Secrecy. Why ?
Use of session tickets (enabled by default in OpenSSL) reduces effectiveness of TLS forward secrecy, because the keys used to
generate tickets survive for the lifetime of the httpd process. So if you have access to the httpd process you can retrieve the keys used to generate session tickets.
The demo was done by Florent Daigniére this year in the Black Hat conference and it was pretty easy to understand.
So in my case, i have Apache 2.2 and OpenSSL 1.0.1 and Ubuntu 12.04.3 LTS
That's already possible with SSLOpenSSLConfCmd using something like:
SSLOpenSSLConfCmd Options -SessionTicket
Unfortunately that's only supported in trunk and the unreleased OpenSSL 1.0.2 and later.
I read in some blogs that is possible to disable it in SSL_CTX, but i can't find where.
Anyone can help ?
Thanks in advance