"A" Grade SSL/TLS with Nginx and StartSSL

eiji-gravion nginx-forum at nginx.us
Thu Oct 17 02:22:35 UTC 2013

Piotr Sikora Wrote:
> > ssl_session_timeout 5m;
> Not only doesn't it change anything (5m is the default value), but
> it's way too low value to be used.
> Few examples from the real world:
>     Google    : 28h
>     Facebook  : 24h
>     CloudFlare: 18h
>     Twitter   :  4h
Wouldn't having a timeout that high lower the effectiveness of forward
secrecy? You'd have the potential to be using the same key for up to 28
hours on Google.

I suppose most sites don't even rotate their session tickets that often, so
it probably doesn't matter for a lot of people.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,243653,243779#msg-243779

More information about the nginx mailing list