4.1.12 Ensure session resumption is disabled to enable perfect forward security

Information

Session resumption for HTTPS sessions should be disabled so perfect forward secrecy can be achieved.

Rationale:

Perfect forward secrecy is an encryption mechanism that enables past session keys to not be compromised even if the server's private key is compromised. If an attacker recorded all traffic to a server and stored it and then obtained the private key without perfect forward secrecy, all communications would be compromised. With perfect forward secrecy, session keys are generated using Diffie-Hellman for every session a user initiates, which isolates session compromise to only that communication session. Allowing session resumption breaks perfect forward secrecy; this expands the surface area for an attacker to compromise past sessions and communications with a server if they are able to compromise the session.

Solution

Turn off the ssl_session_tickets directive as part of any server block in your nginx configuration:

ssl_session_tickets off;

Default Value:

Perfect forward security is not enabled by default.

See Also

https://workbench.cisecurity.org/files/4212