"A" Grade SSL/TLS with Nginx and StartSSL
eiji-gravion
nginx-forum at nginx.us
Thu Oct 17 02:22:35 UTC 2013
Piotr Sikora Wrote:
-------------------------------------------------------
> > ssl_session_timeout 5m;
>
> Not only doesn't it change anything (5m is the default value), but
> it's way too low value to be used.
>
> Few examples from the real world:
>
> Google : 28h
> Facebook : 24h
> CloudFlare: 18h
> Twitter : 4h
Wouldn't having a timeout that high lower the effectiveness of forward
secrecy? You'd have the potential to be using the same key for up to 28
hours on Google.
I suppose most sites don't even rotate their session tickets that often, so
it probably doesn't matter for a lot of people.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,243653,243779#msg-243779
More information about the nginx
mailing list