Update Ngingx 1.23.2 and newer to support ssl_session_tickets

[gene1wood]

Nginx 1.23.2 appears to change how ssl_session_tickets is handled and as a result perhaps we should change to setting them as enabled.

https://nginx.org/en/CHANGES

TLS session tickets encryption keys are now automatically rotated when using shared memory in the "ssl_session_cache" directive.

This was raised in #135

[HLFH]

Thanks! Maybe you can update the title (Ngingx...).
I have switched to nginx-mainline on Arch Linux to get the latest version.
Furthermore, in the http context, I have added:

ssl_session_tickets on;

[khavishbhundoo]

Hi @gene1wood

When can we expect this config change reflected on https://ssl-config.mozilla.org/

[gene1wood]

@khavishbhundoo We'll need a PR to implement this change, then review and merging.

[janbrasna]

@gene1wood I'm happy to propose a PR if there's a consensus on the rules given the baked-in openssl bugfix #134 in mozilla/ssl-config-generator@db419f0 — currently the logic is:

openssl <1.0.2l (empty = leave on)
openssl ≥1.0.2l on nginx ≥1.5.9 (that started supporting the directive) ssl_session_tickets off;

We should probably leave the whole range of openssl 0.9.8f–1.0.2l as-is left enabled (=default/empty) to be on the safe side, and only add a new rule for the combination of:

openssl ≥1.0.2l on nginx ≥1.23.2 as either ssl_session_tickets on;

or maybe rather empty again, for a default? (As there are implications of ssl_session_tickets settings to TLSv1.3 sessions, I'd rather leave that empty, than set is to "on"…)

Does it make sense that way?