Turn ssl_session_tickets off.

[sander1]

Even though session tickets can have performance benefits, it also introduces a security risk: https://wiki.mozilla.org/Security/Server_Side_TLS#TLS_tickets_.28RFC_5077.29

By default it's turned off in the Mozilla SSL Configuration Generator.

[toomuchio]

I was well aware of that when I added it, this configuration isn't aimed to be the most secure or follow the best practices for security a ton have been broken already.
If we followed the best practices with a CSP and much stricter rules we'd break support for half of the players. Most certainly /web would cease to function with a best practice CSP.

Even now due to the http>https redirect PS3/PS4/XBox360 support is broken, if I can confirm that's the issue when I get my hands on a PS4 I'll probably have to switch that off by default as well and leave a note about it. I suppose that's not a huge problem, since Strict-Transport-Security should force it back on for any supported browsers but still. Not best practices obviously.

I'll add a note about this one since it's one of the more commonly known issues, perhaps disable it by default.

Here's a better explanation of it, SSLLabs doesn't even complain about it currently. mozilla/server-side-tls#135