Opened 5 years ago

Closed 5 years ago

#806 closed defect (wontfix)

ngx_http_ssl_module: Turn off 'ssl_session_tickets' by default

Reported by: Commenter123@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.9.x
Keywords: Cc:
uname -a: --
nginx -V: --

Description

As neither nginx nor openssl rotate the session ticket key, having 'ssl_session_tickets' turned on by default is bad, as a lot of users won't use a manual ticket rotation system.

Having 'ssl_session_tickets' on without rotating the key frequently destroys PFS:
http://security.stackexchange.com/questions/102093/tls-session-tickets-what-is-the-risk-of-a-disclosed-server-ticket-key

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: wontfix
Status: newclosed

Session ticket keys are changed on each nginx configuration reload. This is believed to be good/frequent enough in most cases, especially compared to persistent private keys stored on disk. If you think this is not enough in your case, you may switch off ssl_session_tickets and/or start coding a builtin ticket key rotation code. There are no plans to change the default.

Note: See TracTickets for help on using tickets.