SSL Session Ticket Expiration

mex nginx-forum at nginx.us
Tue Nov 18 12:25:01 UTC 2014


in a blogpost[1] from tim taubert of firefox/mozilla - team he states, when
wanting to have PFS:
"The best you can do to provide forward secrecy to visitors is thus again
switch off 
session ticket support until a proper solution is available."

when using ssl_session_cache / ssl_session_timeout, because: 

"Just as Apache, Nginx should provide a configuration directive to allow
cache entries to be 
purged automatically after a certain time. Any entries not purged properly
could simply be read from 
memory by an attacker with full access to the server.

You guessed right, the ssl_session_timeout directive again only applies when
trying to resume a 
session at the beginning of a connection. Stale entries will not be removed
automatically after they time out."

What would be a temporary solution for this? a small ssl_session_cache?
nginx reload every 12 hours
to flush the ssl_session_cache? 




[1] -
https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/


cheers, 

mex

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254881,254881#msg-254881



More information about the nginx mailing list