ssl_session_timeout and forward secrecy concerns

Richard Fussenegger richard at fussenegger.info
Thu Jun 9 17:03:26 UTC 2016


On 6/9/2016 7:00 PM, Brandon Black wrote:
> On Thu, Jun 9, 2016 at 4:53 PM, Richard Fussenegger
> <richard at fussenegger.info> wrote:
>> Note that a solution for session ticket key rotation is actually trivial:
> Definitely agreed that a ticket-based solution is much better.  The
> problem is that we still face a significant volume of real-world
> browser clients that fail to implement tickets (All MSIE before 11.x
> (and even 11.x on Win7), as well as all Apple Safari versions to
> date).  We could implement tickets with a healthy rotation scheme like
> you've outlined to support the better browsers, but we'd still want a
> sessionid cache as well to support the rest, at which point we're back
> to the same question again.
>
> -- Brandon
Sorry for sending two mails, the mailing list does not allow attachments. ;)

Your question is perfectly valid and especially for smaller websites
super relevant because a working session ID approach out of the box is
simply perfect for them. I just wanted to mention the ticket thingy
because the topics are tightly bound to each other. It does not answer
your question nor do I want to invalidate it. :)

Richard



More information about the nginx-devel mailing list