Opened 9 years ago
Closed 9 years ago
#806 closed defect (wontfix)
ngx_http_ssl_module: Turn off 'ssl_session_tickets' by default
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.9.x |
| Keywords: | Cc: | ||
| uname -a: | -- | ||
| nginx -V: | -- | ||
Description
As neither nginx nor openssl rotate the session ticket key, having 'ssl_session_tickets' turned on by default is bad, as a lot of users won't use a manual ticket rotation system.
Having 'ssl_session_tickets' on without rotating the key frequently destroys PFS:
http://security.stackexchange.com/questions/102093/tls-session-tickets-what-is-the-risk-of-a-disclosed-server-ticket-key
Note:
See TracTickets
for help on using tickets.
Session ticket keys are changed on each nginx configuration reload. This is believed to be good/frequent enough in most cases, especially compared to persistent private keys stored on disk. If you think this is not enough in your case, you may switch off
ssl_session_ticketsand/or start coding a builtin ticket key rotation code. There are no plans to change the default.