Hello!

On Sat, Jan 04, 2014 at 11:30:53AM +0000, Dirkjan Bussink wrote:

> # HG changeset patch
> # User Dirkjan Bussink <d.bussink@gmail.com>
> # Date 1388832057 0
> # Node ID b236387415f02c6b5874aca5aadd216028edbe00
> # Parent 4aa64f6950313311e0d322a2af1788edeb7f036c
> Add ssl_session_ticket option to enable / disable session tickets

I tend to think "ssl_session_tickets" (note trailing "s") would be
a better name for the directive (and various names in the code
should be changed accordingly).

Additionally, something like "SSL: ssl_session_tickets directive."
should be a better summary line.

> This adds support so it's possible to explicitly disable SSL Session
> Tickets. In order to have good Forward Secrecy support either session
> tickets have to be reloaded by restarting nginx regularly, or by
> disabling session tickets.
>
> If session tickets are enabled and the process lives for a long a time,
> an attacker can grab the session ticket from the process and use that to
> decrypt any traffic that occured during the entire lifetime of the
> process.

This description probably could be improved a bit, at least from
terminology point of view. Session tickets are not something to
be reloaded, it's session ticket keys which should be replaced
regularly for better forward secrecy. And there are at least two
ways to do so without restarting nginx - via binary upgrade
procedure, or by providing a ticket key file and doing a
configuration reload.

Otherwise looks good.

[...]

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel