proper setup for forward secrecy

eiji-gravion nginx-forum at nginx.us
Thu Aug 9 18:37:36 UTC 2012


Hello,

I was reading an article written by Adam Langley and he says:

"You also need to be aware of Session Tickets in order to implement
forward secrecy correctly. There are two ways to resume a TLS
connection: either the server chooses a random number and both sides
store the session information, of the server can encrypt the session
information with a secret, local key and send that to the client. The
former is called Session IDs and the latter is called Session Tickets.

But Session Tickets are transmitted over the wire and so the server's
Session Ticket encryption key is capable of decrypting past connections.
Most servers will generate a random Session Ticket key at startup unless
otherwise configured, but you should check."

So my question is, how does nginx handle this?

Thanks

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,229538,229538#msg-229538



More information about the nginx mailing list