[PATCH] SSL: ssl_session_tickets directive

Maxim Dounin mdounin at mdounin.ru
Tue Jan 14 11:13:15 UTC 2014


Hello!

On Fri, Jan 10, 2014 at 03:21:33PM +0000, Dirkjan Bussink wrote:

> # HG changeset patch
> # User Dirkjan Bussink <d.bussink at gmail.com>
> # Date 1389366760 -3600
> # Node ID d049b0ea00a388c142627f10a0ee01c5b1bedc43
> # Parent  4aa64f6950313311e0d322a2af1788edeb7f036c
> SSL: ssl_session_tickets directive.
> 
> This adds support so it's possible to explicitly disable SSL Session
> Tickets. In order to have good Forward Secrecy support either the
> session ticket key has to be reloaded by using nginx' binary upgrade
> process or using an external key file and reloading the configuration.
> This directive adds another possibility to have good support by
> disabling session tickets altogether.
> 
> If session tickets are enabled and the process lives for a long a time,
> an attacker can grab the session ticket from the process and use that to
> decrypt any traffic that occured during the entire lifetime of the
> process.

Committed, thanks.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list