in a blogpost[1] from tim taubert of firefox/mozilla - team he states, when wanting to have PFS: "The best you can do to provide forward secrecy to visitors is thus again switch off session ticket support until a proper solution is available."
when using ssl_session_cache / ssl_session_timeout, because: "Just as Apache, Nginx should provide a configuration directive to allow cache entries to be purged automatically after a certain time. Any entries not purged properly could simply be read from memory by an attacker with full access to the server. You guessed right, the ssl_session_timeout directive again only applies when trying to resume a session at the beginning of a connection. Stale entries will not be removed automatically after they time out." What would be a temporary solution for this? a small ssl_session_cache? nginx reload every 12 hours to flush the ssl_session_cache? [1] - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ cheers, mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254881,254881#msg-254881 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
