[PATCH] Add ssl_session_ticket option to enable / disable session tickets

Maxim Dounin mdounin at mdounin.ru
Thu Jan 9 16:47:57 UTC 2014


On Sat, Jan 04, 2014 at 11:30:53AM +0000, Dirkjan Bussink wrote:

> # HG changeset patch
> # User Dirkjan Bussink <d.bussink at gmail.com>
> # Date 1388832057 0
> # Node ID b236387415f02c6b5874aca5aadd216028edbe00
> # Parent  4aa64f6950313311e0d322a2af1788edeb7f036c
> Add ssl_session_ticket option to enable / disable session tickets

I tend to think "ssl_session_tickets" (note trailing "s") would be 
a better name for the directive (and various names in the code 
should be changed accordingly).

Additionally, something like "SSL: ssl_session_tickets directive." 
should be a better summary line.

> This adds support so it's possible to explicitly disable SSL Session
> Tickets. In order to have good Forward Secrecy support either session
> tickets have to be reloaded by restarting nginx regularly, or by
> disabling session tickets.
> If session tickets are enabled and the process lives for a long a time,
> an attacker can grab the session ticket from the process and use that to
> decrypt any traffic that occured during the entire lifetime of the
> process.

This description probably could be improved a bit, at least from 
terminology point of view.  Session tickets are not something to 
be reloaded, it's session ticket keys which should be replaced 
regularly for better forward secrecy.  And there are at least two 
ways to do so without restarting nginx - via binary upgrade 
procedure, or by providing a ticket key file and doing a 
configuration reload.

Otherwise looks good.


Maxim Dounin

More information about the nginx-devel mailing list