Welcome! Log In Create A New Profile

Advanced

SSL Session Ticket Expiration

mex
November 18, 2014 07:25AM
in a blogpost[1] from tim taubert of firefox/mozilla - team he states, when wanting to have PFS:
"The best you can do to provide forward secrecy to visitors is thus again switch off
session ticket support until a proper solution is available."

when using ssl_session_cache / ssl_session_timeout, because:

"Just as Apache, Nginx should provide a configuration directive to allow cache entries to be
purged automatically after a certain time. Any entries not purged properly could simply be read from
memory by an attacker with full access to the server.

You guessed right, the ssl_session_timeout directive again only applies when trying to resume a
session at the beginning of a connection. Stale entries will not be removed automatically after they time out."

What would be a temporary solution for this? a small ssl_session_cache? nginx reload every 12 hours
to flush the ssl_session_cache?




[1] - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/


cheers,

mex
Subject Author Posted

SSL Session Ticket Expiration

mex November 18, 2014 07:25AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 107
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready