ssl_session_timeout and forward secrecy concerns
Brandon Black
bblack at wikimedia.org
Thu Jun 9 17:00:43 UTC 2016
On Thu, Jun 9, 2016 at 4:53 PM, Richard Fussenegger
<richard at fussenegger.info> wrote:
> Note that a solution for session ticket key rotation is actually trivial:
Definitely agreed that a ticket-based solution is much better. The
problem is that we still face a significant volume of real-world
browser clients that fail to implement tickets (All MSIE before 11.x
(and even 11.x on Win7), as well as all Apple Safari versions to
date). We could implement tickets with a healthy rotation scheme like
you've outlined to support the better browsers, but we'd still want a
sessionid cache as well to support the rest, at which point we're back
to the same question again.
-- Brandon
More information about the nginx-devel
mailing list