-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nginx: re-enable ssl_session_tickets #350018
base: master
Are you sure you want to change the base?
Conversation
I’m a little nervous about the compromise to forward secrecy posed by session tickets, but if we’re tracking Mozilla’s recommendations here then it makes sense to match the update. I think we should not enable HSTS out of the box since it is the kind of policy decision that is hard to revert and can cause painful availability issues. An option for it might be nice though. |
Equally happy to update the comment to say that we're not following Mozilla's recommendations, I don't have a horse in that race :)
Cool. I'll probably make a separate PR adding the option. (edit: #350302) |
283ce1d
to
db13dd0
Compare
@emilazy do you want to choose something to happen here? |
Feel free to feed any concerns back to us @mozilla/ssl-config-generator via issues or discussions — chances are if it's not good enough for you, it probably won't be for others, too;)
Their changelog makes it sound it's safe now, but from the mailinglist changeset it looked more like just a better GC at first glance — but I will look more deeply into what's the actual change: it's the OCT '22 commits here: https://github.com/nginx/nginx/commits/release-1.23.2/ if you want to inspect yourselves if that's reasonably safe for PFS.
It's been around for years, but for these exact concerns downstream the HSTS is only behind a preference to help emit the correct headers and time spans, but also make it easy to consume configs without these. |
3ba53d8
to
a2c9554
Compare
Mozilla's [recommendations][1] no longer include this item. Per [mozilla/server-side-tls#135][2] and [mozilla/ssl-config-generator#252][3], it sounds like versions of nginx prior to 1.23.2 (released 2022-10-19) didn't make it easy to properly rotate the ticket encryption keys, but since that version it's now done automatically. Since nixos-24.05 is already on nginx-1.26.2, it seems safe to remove this option. [1]: https://ssl-config.mozilla.org/#server=nginx&config=intermediate [2]: mozilla/server-side-tls#135 [3]: mozilla/ssl-config-generator#252
a2c9554
to
68b9313
Compare
Mozilla's recommendations no longer include this item. Per mozilla/server-side-tls#135 and
mozilla/ssl-config-generator#252, it sounds like versions of nginx prior to 1.23.2 (released 2022-10-19) didn't make it easy to properly rotate the ticket encryption keys, but since that version it's now done automatically. Since nixos-24.05 is already on nginx-1.26.2, it seems safe to remove this option.
I came across this while looking to see what was included in
recommendedTlsSettings
and noticing that it had fallen out of sync with its own source. I don't personally feel strongly thatssl_session_tickets
is important to set one way or the other, this just seems like housekeeping to me. I believe it has performance implications (reducing the amount of memory nginx needs?) but the docs are not very helpful.One other notable difference between the Mozilla settings and ours is Mozilla enables HSTS. I don't know if this is not included because it's new or if it's omitted intentionally, but I decided not to include it here because it seems like it could be a more significant / impactful / client-facing change. Let me know if we want it and I might do a followup PR, perhaps adding it as an option.
Things done
nixos-24.05
and then built that, but I imagine that's sufficient?nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
(because it's the default on Linux and I haven't overridden it)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.