Session Ticket Lifetime

whoami · February 26, 2025, 11:02am

When testing my endpoint with testssl, I receive an overall grade of A+, which is great. However, I also get the following warning regarding the session ticket lifetime:

Session Ticket RFC 5077 hint 604800 seconds but: FS requires session ticket keys to be rotated < daily !

It seems that my session ticket lifetime is set to 7 days (604800 seconds), while forward secrecy (FS) recommends rotating session ticket keys at least once per day.

Is there a configuration setting where I can adjust the session ticket lifetime to 24 hours instead of the default 7 days?

I appreciate any guidance on this!

bluepuma77 · February 26, 2025, 5:47pm

This may not happen if you set TLS 1.3 (doc).

whoami · February 27, 2025, 3:27pm

TLS 1.3 is already functional in my setup. I also tried to set the minVersion to 1.3 but the ticket lifetime remains the same (7 days).

These are my dynamic tls settings:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
       # Recommended ciphers for TLSv1.2
       - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
       - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
       - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
       # Recommended ciphers for TLSv1.3
       - TLS_CHACHA20_POLY1305_SHA256
       - TLS_AES_128_GCM_SHA256
       - TLS_AES_256_GCM_SHA384

I've also tested with:
openssl s_client -connect mydomain.com:443 -tls1_3

Topic		Replies	Views
SSL session caching Traefik v2 letsencrypt-acme	4	784	June 11, 2023
Traefik 2.4.7. high TLS/SSL duration vs nginx Traefik v2 docker	2	2003	March 20, 2021
How to Manually Rotate TLS Certificates Traefik v2 kubernetes-crd	1	902	April 11, 2023
Seemingly random timeouts for some clients Traefik v3 (latest) docker , letsencrypt-acme	5	156	January 6, 2025
Forward auth session time question Traefik v2 docker , middleware	5	571	May 26, 2023

Session Ticket Lifetime

Related topics