Peertube: Had to remove ssl_session_tickets off from nginx configuration

Created on 29 Mar 2018  路  3Comments  路  Source: Chocobozzz/PeerTube
  • PeerTube version or URL:
    1.0.0b3
  • Browser name/version:
    Chromium and Firefox 60

  • NodeJS version:
    8.3

  • What is the expected behaviour?
    The page should load

  • What do you see instead?
    ERR_SSL_PROTOCOL_ERROR

Removing ssl_session_tickets off from the nginx config fixed the issue. Perhaps remove it from the template?

picture NoraCodes

Most helpful comment

Mozilla/IETF suggest disabling session-tickets because the key to sign them is only changed when the webserver is restarted. That could lead to no perfect forward secrecy and you do not want that.

ssl_session_tokens off breaks if it鈥檚 not set the same for all ssl-enabled server{} blocks. So if you have 2 server configurations and and you have ssl_server_tokens on in one (which is the default so it counts even if you omit it) and set to off in another, it will break the one where it鈥檚 set to off in certain browsers (namely Chrome, Firefox, curl but not IE). The easiest way to resolve this, unless you have multiple http{} blocks, is to just set it off in the http{} block.

source: https://community.letsencrypt.org/t/errors-from-browsers-with-ssl-session-tickets-off-nginx/18124

I hope it solves your issue :worried:

picture rigelk on 29 Mar 2018
👍4 😄1

All 3 comments

Mozilla/IETF suggest disabling session-tickets because the key to sign them is only changed when the webserver is restarted. That could lead to no perfect forward secrecy and you do not want that.

ssl_session_tokens off breaks if it鈥檚 not set the same for all ssl-enabled server{} blocks. So if you have 2 server configurations and and you have ssl_server_tokens on in one (which is the default so it counts even if you omit it) and set to off in another, it will break the one where it鈥檚 set to off in certain browsers (namely Chrome, Firefox, curl but not IE). The easiest way to resolve this, unless you have multiple http{} blocks, is to just set it off in the http{} block.

source: https://community.letsencrypt.org/t/errors-from-browsers-with-ssl-session-tickets-off-nginx/18124

I hope it solves your issue :worried:

rigelk picture rigelk on 29 Mar 2018
👍4 😄1

It does, thank you! Would you accept a PR adding this to the documentation?

NoraCodes picture NoraCodes on 29 Mar 2018
👍1

@LeoTindall sure! Although I suggest documenting it in the source code, along the line at fault. This avoids bloating our production guide (which is already quite messy tbh).

rigelk picture rigelk on 29 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JohnXLivingston picture JohnXLivingston  路  3Comments
tcitworld picture tcitworld  路  3Comments
sschueller picture sschueller  路  3Comments
kabo picture kabo  路  3Comments
zilti picture zilti  路  3Comments