ssl_session_timeout and forward secrecy concerns

Brandon Black bblack at
Thu Jun 9 17:00:43 UTC 2016

On Thu, Jun 9, 2016 at 4:53 PM, Richard Fussenegger
<richard at> wrote:
> Note that a solution for session ticket key rotation is actually trivial:

Definitely agreed that a ticket-based solution is much better.  The
problem is that we still face a significant volume of real-world
browser clients that fail to implement tickets (All MSIE before 11.x
(and even 11.x on Win7), as well as all Apple Safari versions to
date).  We could implement tickets with a healthy rotation scheme like
you've outlined to support the better browsers, but we'd still want a
sessionid cache as well to support the rest, at which point we're back
to the same question again.

-- Brandon

More information about the nginx-devel mailing list