Opened 8 years ago
Closed 8 years ago
#806 closed defect (wontfix)
ngx_http_ssl_module: Turn off 'ssl_session_tickets' by default
|Reported by:||Owned by:|
As neither nginx nor openssl rotate the session ticket key, having 'ssl_session_tickets' turned on by default is bad, as a lot of users won't use a manual ticket rotation system.
Having 'ssl_session_tickets' on without rotating the key frequently destroys PFS:
Change History (1)
comment:1 by , 8 years ago
|Status:||new → closed|
Note: See TracTickets for help on using tickets.
Session ticket keys are changed on each nginx configuration reload. This is believed to be good/frequent enough in most cases, especially compared to persistent private keys stored on disk. If you think this is not enough in your case, you may switch off
ssl_session_ticketsand/or start coding a builtin ticket key rotation code. There are no plans to change the default.