From 68b9313460ce5ec45a36a39e340664964536694c Mon Sep 17 00:00:00 2001 From: Ben Millwood Date: Sun, 20 Oct 2024 13:20:00 +0100 Subject: [PATCH] nixos/nginx: re-enable ssl_session_tickets Mozilla's [recommendations][1] no longer include this item. Per [mozilla/server-side-tls#135][2] and [mozilla/ssl-config-generator#252][3], it sounds like versions of nginx prior to 1.23.2 (released 2022-10-19) didn't make it easy to properly rotate the ticket encryption keys, but since that version it's now done automatically. Since nixos-24.05 is already on nginx-1.26.2, it seems safe to remove this option. [1]: https://ssl-config.mozilla.org/#server=nginx&config=intermediate [2]: https://github.com/mozilla/server-side-tls/issues/135 [3]: https://github.com/mozilla/ssl-config-generator/pull/252 --- nixos/modules/services/web-servers/nginx/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 922df1ea03abf..113630f4941d8 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -188,8 +188,6 @@ let ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; - # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135 - ssl_session_tickets off; # We don't enable insecure ciphers by default, so this allows # clients to pick the most performant, per https://github.com/mozilla/server-side-tls/issues/260 ssl_prefer_server_ciphers off;