nixos/nginx: re-enable ssl_session_tickets

Mozilla's [recommendations][1] no longer include this item. Per [mozilla/server-side-tls#135][2] and [mozilla/ssl-config-generator#252][3], it sounds like versions of nginx prior to 1.23.2 (released 2022-10-19) didn't make it easy to properly rotate the ticket encryption keys, but since that version it's now done automatically. Since nixos-24.05 is already on nginx-1.26.2, it seems safe to remove this option. [1]: https://ssl-config.mozilla.org/#server=nginx&config=intermediate [2]: mozilla/server-side-tls#135 [3]: mozilla/ssl-config-generator#252
NixOS · Oct 20, 2024 · 283ce1d · 283ce1d
1 parent d3c260e
commit 283ce1d
Showing 1 changed file with 0 additions and 2 deletions.
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
@@ -186,8 +186,6 @@ let
 
         ssl_session_timeout 1d;
         ssl_session_cache shared:SSL:10m;
-        # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135
-        ssl_session_tickets off;
         # We don't enable insecure ciphers by default, so this allows
         # clients to pick the most performant, per https://github.com/mozilla/server-side-tls/issues/260
         ssl_prefer_server_ciphers off;