from:"Arnaud Van der Vorst"

RE: opinions about Session tickets

2016-04-12 Thread Arnaud Van der Vorst

Good morning,

@Andreas
Thank you for sharing these documents.
I had already read the one from Tim Taubert and had the same concern about
using TLS/SSL Tickets.
Is it a good thing or not?

-Original Message-
From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of A. Schulze
Sent: lundi 11 avril 2016 17:17
To: nginx@nginx.org
Subject: opinions about Session tickets


Maxim Dounin:

> In nginx 1.5.9 the "ssl_session_tickets" directive was added, which 
> makes it possible to disable session tickets when needed.

I found these two opinions. They suggest to disable session tickets.

  -
https://www.farsightsecurity.com/Blog/20151202-thall-hardening-dh-and-ecc/
  -
https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-
resumption-implementations/

what do others think about that?
Andreas


___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

RE: TLS/SSL Cache Automatic Purge

2016-04-12 Thread Arnaud Van der Vorst

Hi,

@B.R.

Not really…

The only information for ssl_session_timout is “Specifies a time during which a 
client may reuse the session parameters stored in a cache.” It does not say 
anything about purging the TLS/SSL Cache which is my concern here.

I have read that invalidating a TLS/SSL Session and purging the TLS/SSL Cache 
are two separate things.

Arnaud

From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of B.R.
Sent: lundi 11 avril 2016 22:15
To: nginx ML 
Subject: Re: TLS/SSL Cache Automatic Purge

Hello,

@Maxim

Just to be perfectly clear: does that mean that session tickets are supported 
for any version of nginx (including   
have all your answers.

---
B. R.

On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin  > wrote:

Hello!

On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote:

[...]

> On a side-note, by default nginx does not store session parameters as it
> prefers tickets
> ,
> supported since v1.5.9, over sessions ID.

Session tickets supported as long as OpenSSL version used supports
them, that is, with OpenSSL 0.9.8f or later.

In nginx 1.5.9 the "ssl_session_tickets" directive was added,
which makes it possible to disable session tickets when needed.

--
Maxim Dounin
http://nginx.org/

___
nginx mailing list
nginx@nginx.org  
http://mailman.nginx.org/mailman/listinfo/nginx

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

TLS/SSL Cache Automatic Purge

2016-04-11 Thread Arnaud Van der Vorst

Hi,

 

My name is Arnaud and I am new to the list.

 

I would like to know if NGINX is using any automatic purge mechanism for its
TLS/SSL Cache configured using the following directives:

ssl_session_timeout 10m;

ssl_session_cache shared:SSL:10m;

 

I understand that a daily purge of TLS/SSL Cache is highly recommended to
avoid breaking Perfect Forward Secrecy of the TLS Protocol.

If it does NOT use automatic purge, how can I purge the Shared cache used by
NGINX then?

Are there any command line tools for that purpose?

 

Thank you very much in advance for your answer and have a nice day!

 

Kind regards,

 

Arnaud

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

RE: opinions about Session tickets

RE: TLS/SSL Cache Automatic Purge

TLS/SSL Cache Automatic Purge

3 matches

Site Navigation

Mail list logo

Footer information