Skip to content

Commit

Permalink
fix: disable ssl session tickets
Browse files Browse the repository at this point in the history 
fixes #972695

Based on
mozilla/server-side-tls#135 and
https://www.imperialviolet.org/2013/06/27/botchingpfs.html
session tickets are a complicated mechanism that’s easy to get wrong.
Proper use also requires daily reloading of the server.
They are only relevant for TLS1.2.
If anyone needs the performance boost, they can enable it again.
  • Loading branch information
Hendrik Jäger committed Dec 2, 2022
1 parent ea97197 commit bc599f7
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions debian/config-dir/mods-available/ssl.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,7 @@ SSLProtocol all -SSLv3
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On

# Warning: Session Tickets require regular reloading of the server!
# Make sure you do this (e.g. via logrotate) before changing this setting!
SSLSessionTickets off

0 comments on commit bc599f7

Please sign in to comment.