SSL doesn't protect against this timing attack. The vulnerability allows an attacker to generate a malicious cookie that the rack server believes is authentic. The attacker sends repeated http/https requests to your server with the malicious cookie and calculated variations in the cookie's authentication code, using slight differences in the server's response time to determine how much of the auth code is correct. It's possible to measure these timing variations, especially if an attacker rents a box in the same data center [1].
The relevant commit [2] and an explanations of equivalent vulnerabilities [3][4]