Should we give SSL sessions in Nginx a 1 day timeout?

[bmw]

Inspired by https://jhalderm.com/pub/papers/forward-secrecy-imc16.pdf, we might want to look into changing our nginx plugin's behavior around TLS sessions. The Mozilla site where we get our TLS config from has the TLS session timeout a 1 day which is much longer than nginx's default of 5 minutes.

This behavior is not necessarily wrong, but it's making a tradeoff for performance over security and more in the favor of performance than is recommended in the paper linked above.

The purpose of this issue is to track looking into this. Why does Mozilla have this recommendation? Do we agree? If so, we can close this issue, but if not, we should update our configuration file at https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf.

[sydneyli]

It was recommended to improve performance afaict. There still seems to be some disagreement about it as per mozilla/server-side-tls#198.

For this and other reasons outlined in the paper you linked and others I don't feel comfortable following this particular guideline. I'll also comment upstream!