Nginx ssl_session_tickets with modern on v5

[bungle]

As modern is now only TLSv1.3 perhaps it doesn't make a sense for that to even specify:

ssl_session_tickets off;

As that is not used with TLSv1.3.

Yes, I know it is part of generic section, so please close if not considered with any importance.

[tomato42]

is pure-psk session resumption disabled? I think clients still can use it, it just defaults to dhe_psk resumption, doesn't it?

[april]

If we could get an nginx developer to chime in, that would be great. I'm a little worried about making the change without truly understanding what knobs that turns.

[makhomed]

If we could get an nginx developer to chime in, that would be great. I'm a little worried about making the change without truly understanding what knobs that turns.

@april, you can ask nginx developers about this and any other questions in the [email protected] mail list.

More details about this English mail list: http://nginx.org/en/support.html

nginx developers are Maxim Dounin, and any other people, why wrote from email something(at)nginx.com

[HLFH]

There are some changes with ssl_session_tickets since nginx 1.23.2: https://nginx.org/en/CHANGES

[LeviPesin]

Isn't this a duplicate of mozilla/server-side-tls#282?

[janbrasna]

So this basically resolved itself for nginx ≥1.23.2 via #252 — but truth is, we kinda left out tweaking that beyond that, so if you use older nginx than that and chose modern (or any other config and end up negotiating TLS1.3) you'd still force the stateful resumption. I honestly didn't feel like adding that complexity for unmaintained 2yo+ (and 1yo+ EOL) versions — but if that doesn't sound sufficient, feel free to chime in.