Piotr Sikora Wrote: ------------------------------------------------------- > > ssl_session_timeout 5m; > > Not only doesn't it change anything (5m is the default value), but > it's way too low value to be used. > > Few examples from the real world: > > Google : 28h > Facebook : 24h > CloudFlare: 18h > Twitter : 4h Wouldn't having a timeout that high lower the effectiveness of forward secrecy? You'd have the potential to be using the same key for up to 28 hours on Google.
I suppose most sites don't even rotate their session tickets that often, so it probably doesn't matter for a lot of people. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,243653,243779#msg-243779 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
