[MediaWiki-commits] [Gerrit] operations/puppet[production]: tlsproxy: drop ssl_session_timeout to 4h

Thu, 25 Aug 2016 07:40:46 -0700 

BBlack has submitted this change and it was merged.

Change subject: tlsproxy: drop ssl_session_timeout to 4h
......................................................................


tlsproxy: drop ssl_session_timeout to 4h

This acts as a limiting factor on SWEET32 birthday attacks, so
long as we continue to support 3DES.  Our current rather-high 25h
value was based on experiments in higher session resumption, and I
don't think we're going to lose much net resumption dropping it
back down to 4h at this point (which in any case is only a minor
overall performance factor).  Could revisit later when/if we
completely drop 3DES.

Change-Id: I02fe67e47031ea32723817b60f3f444974b62a47
---
M modules/tlsproxy/templates/nginx.conf.erb
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  BBlack: Verified; Looks good to me, approved



diff --git a/modules/tlsproxy/templates/nginx.conf.erb 
b/modules/tlsproxy/templates/nginx.conf.erb
index 7f5fd6d..fa7c0a1 100644
--- a/modules/tlsproxy/templates/nginx.conf.erb
+++ b/modules/tlsproxy/templates/nginx.conf.erb
@@ -77,7 +77,7 @@
 <% else -%>
     ssl_session_cache shared:SSL:1024m;
 <% end -%>
-    ssl_session_timeout 25h;
+    ssl_session_timeout 4h;
 
     # Disable RFC5077 tickets (may revisit later when client support is better)
     ssl_session_tickets off;

-- 
To view, visit https://gerrit.wikimedia.org/r/306669
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I02fe67e47031ea32723817b60f3f444974b62a47
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to