Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Ngingx 1.23.2 and newer to support ssl_session_tickets #284

Open
gene1wood opened this issue Nov 2, 2022 · 4 comments · Fixed by mozilla/ssl-config-generator#252

Comments

@gene1wood
Copy link
Collaborator

Nginx 1.23.2 appears to change how ssl_session_tickets is handled and as a result perhaps we should change to setting them as enabled.

https://nginx.org/en/CHANGES

TLS session tickets encryption keys are now automatically rotated when using shared memory in the "ssl_session_cache" directive.

This was raised in #135

@HLFH
Copy link

HLFH commented Dec 6, 2022

Thanks! Maybe you can update the title (Ngingx...).
I have switched to nginx-mainline on Arch Linux to get the latest version.
Furthermore, in the http context, I have added:

ssl_session_tickets on;

@khavishbhundoo
Copy link

khavishbhundoo commented Jan 15, 2023

Hi @gene1wood

When can we expect this config change reflected on https://ssl-config.mozilla.org/

@gene1wood
Copy link
Collaborator Author

@khavishbhundoo We'll need a PR to implement this change, then review and merging.

@janbrasna
Copy link

@gene1wood I'm happy to propose a PR if there's a consensus on the rules given the baked-in openssl bugfix #134 in mozilla/ssl-config-generator@db419f0 — currently the logic is:

openssl <1.0.2l (empty = leave on)
openssl ≥1.0.2l on nginx ≥1.5.9 (that started supporting the directive) ssl_session_tickets off;

We should probably leave the whole range of openssl 0.9.8f–1.0.2l as-is left enabled (=default/empty) to be on the safe side, and only add a new rule for the combination of:

openssl ≥1.0.2l on nginx ≥1.23.2 as either ssl_session_tickets on;

or maybe rather empty again, for a default? (As there are implications of ssl_session_tickets settings to TLSv1.3 sessions, I'd rather leave that empty, than set is to "on"…)

Does it make sense that way?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants