nginx 0.3.8 *) Security: nginx now checks URI got from a backend in "X-Accel-Redirect" header line or in SSI file for the "/../" paths and zeroes. *) Change: nginx now does not treat the empty user name in the "Authorization" header line as valid one. *) Feature: the "ssl_session_timeout" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. *) Feature: the "auth_http_header" directive of the ngx_imap_auth_http_module. *) Feature: the "add_header" directive. *) Feature: the ngx_http_realip_module. *) Feature: the new variables to use in the "log_format" directive: $bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri, $request_time, $request_length, $upstream_status, $upstream_response_time, $gzip_ratio, $uid_got, $uid_set, $connection, $pipe, and $msec. The parameters in the "%name" form will be canceled soon. *) Change: now the false variable values in the "if" directive are the empty string "" and string starting with "0". *) Bugfix: while using proxied or FastCGI-server nginx may leave connections and temporary files with client requests in open state. *) Bugfix: the worker processes did not flush the buffered logs on graceful exit. *) Bugfix: if the request URI was changes by the "rewrite" directive and the request was proxied in location given by regular expression, then the incorrect request was transferred to backend; bug appeared in 0.2.6. *) Bugfix: the "expires" directive did not remove the previous "Expires" header. *) Bugfix: nginx may stop to accept requests if the "rtsig" method and several worker processes were used. *) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in SSI commands. *) Bugfix: if the response was ended just after the SSI command and gzipping was used, then the response did not transferred complete or did not transferred at all.

--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -8,6 +8,7 @@
 #include <ngx_core.h>
 #include <ngx_http.h>
 
+
 #define NGX_DEFLAUT_CERTIFICATE      "cert.pem"
 #define NGX_DEFLAUT_CERTIFICATE_KEY  "cert.pem"
 #define NGX_DEFLAUT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
@@ -84,6 +85,13 @@ static ngx_command_t  ngx_http_ssl_comma
       ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 },
 #endif
 
+    { ngx_string("ssl_session_timeout"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_sec_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
+      NULL },
+
       ngx_null_command
 };
 
@@ -146,6 +154,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t 
      */
 
     scf->enable = NGX_CONF_UNSET;
+    scf->session_timeout = NGX_CONF_UNSET;
     scf->prefer_server_ciphers = NGX_CONF_UNSET;
 
     return scf;
@@ -166,6 +175,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
         return NGX_CONF_OK;
     }
 
+    ngx_conf_merge_value(conf->session_timeout,
+                         prev->session_timeout, 300);
+
     ngx_conf_merge_value(conf->prefer_server_ciphers,
                          prev->prefer_server_ciphers, 0);
 
@@ -229,6 +241,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
     SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx,
                                    sizeof(ngx_http_session_id_ctx) - 1);
 
+    SSL_CTX_set_timeout(conf->ssl.ctx, conf->session_timeout);
+
     return NGX_CONF_OK;
 }