in a blogpost[1] from tim taubert of firefox/mozilla - team he states,
when
wanting to have PFS:
“The best you can do to provide forward secrecy to visitors is thus
again
switch off
session ticket support until a proper solution is available.”
when using ssl_session_cache / ssl_session_timeout, because:
"Just as Apache, Nginx should provide a configuration directive to allow
cache entries to be
purged automatically after a certain time. Any entries not purged
properly
could simply be read from
memory by an attacker with full access to the server.
You guessed right, the ssl_session_timeout directive again only applies
when
trying to resume a
session at the beginning of a connection. Stale entries will not be
removed
automatically after they time out."
What would be a temporary solution for this? a small ssl_session_cache?
nginx reload every 12 hours
to flush the ssl_session_cache?
[1] -
cheers,
mex
Posted at Nginx Forum: