You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/11/05 16:43:32 UTC

[GitHub] [apisix] Miss-you opened a new issue #2638: request help: disable ssl_session_tickets by default

Miss-you opened a new issue #2638:
URL: https://github.com/apache/apisix/issues/2638


   ### Issue description
   
   In a word, 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
   
   reference：
   ingress-nginx：https://github.com/kubernetes/ingress-nginx/pull/6196
   mozilla：https://github.com/mozilla/server-side-tls/issues/135
   
   ### Environment
   
   * apisix version (cmd: `apisix version`):
   * OS:
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis commented on issue #2638: request help: disable ssl_session_tickets by default

Posted by GitBox <gi...@apache.org>.

membphis commented on issue #2638:
URL: https://github.com/apache/apisix/issues/2638#issuecomment-723159269


   disable ssl_session_tickets by default
   +1 ^_^


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Miss-you commented on issue #2638: request help: disable ssl_session_tickets by default

Posted by GitBox <gi...@apache.org>.

Miss-you commented on issue #2638:
URL: https://github.com/apache/apisix/issues/2638#issuecomment-722790160


   > > Because proper rotation of session ticket encryption key is not implemented in nignx or Apache.
   > 
   > [mozilla/server-side-tls#135](https://github.com/mozilla/server-side-tls/issues/135)
   > 
   > Look like it would be better if we implement session ticket rotation? We need a modified version of [lua-ssl-nginx-module](https://github.com/openresty/lua-ssl-nginx-module) to get new ticket from etcd.
   
   Implementing session ticket rotation is a good idea, but not a high priority. I think we should first disable the 'ssl_session_tickets'. 
   
   On the other hand, it might be better to use redis instead of etcd.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis closed issue #2638: request help: disable ssl_session_tickets by default

Posted by GitBox <gi...@apache.org>.

membphis closed issue #2638:
URL: https://github.com/apache/apisix/issues/2638


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #2638: request help: disable ssl_session_tickets by default

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #2638:
URL: https://github.com/apache/apisix/issues/2638#issuecomment-722741995


   > Because proper rotation of session ticket encryption key is not implemented in nignx or Apache.
   
   https://github.com/mozilla/server-side-tls/issues/135
   
   Look like it would be better if we implement session ticket rotation? We need a modified version of [lua-ssl-nginx-module](https://github.com/openresty/lua-ssl-nginx-module) to get new ticket from etcd.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org