Piotr Sikora Wrote:
-------------------------------------------------------
> > ssl_session_timeout 5m;
>
> Not only doesn't it change anything (5m is the default value), but
> it's way too low value to be used.
>
> Few examples from the real world:
>
> Google : 28h
> Facebook : 24h
> CloudFlare: 18h
> Twitter : 4h
Wouldn't having a timeout that high lower the effectiveness of forward secrecy? You'd have the potential to be using the same key for up to 28 hours on Google.
I suppose most sites don't even rotate their session tickets that often, so it probably doesn't matter for a lot of people.