Set ssl_session_tickets off

See mozilla/server-side-tls#135 > proper rotation of session ticket encryption key is not > implemented in nignx or Apache. Thus it is easier to recommend against > its use that suggest use of 3rd party software to fix it. > The problem is not that they are insecure, or that they can't be made > secure. The problem is that the way they are commonly implemented means > that you don't provide forward secrecy if you use them - all encryption > keys are ultimately encrypted with just one encryption key - the session > ticket key. > > see here for more in-depth explanation: > https://www.imperialviolet.org/2013/06/27/botchingpfs.ht
whatwg · Sep 5, 2017 · a9cad0a · a9cad0a
1 parent 9b60019
commit a9cad0a
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/debian/marquee/nginx/conf/whatwg.conf b/debian/marquee/nginx/conf/whatwg.conf
@@ -3,6 +3,7 @@ listen [::]:443 ssl http2;
 
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 5m;
+ssl_session_tickets off; # https://github.com/mozilla/server-side-tls/issues/135
 
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;