Session Ticket Rotation
mdounin at mdounin.ru
Thu Oct 9 11:53:58 UTC 2014
On Thu, Oct 09, 2014 at 10:36:10AM +0200, Richard Fussenegger, BSc wrote:
> Hello Maxim!
> On 9/22/2014 2:38 PM, Maxim Dounin wrote:
> >On Mon, Sep 22, 2014 at 01:39:43PM +0200, Richard Fussenegger, BSc wrote:
> >The main problem here is how to share keys between worker
> >processes, to ensure different workers will be able to decrypt
> >tickets. So automatic rotation of ticket keys will likely require
> >shared SSL session cache to be configured as well, and using a SSL
> >session cache to store ticket keys.
> Does this mean that a ticket key isn't shared among workers if one is using
> a single nginx instance with e.g. four workers? Or is the sharing of that
> ticket key handled by a single SSL_CTX in OpenSSL?
As of now, ticket keys are created (or read from files specified) during
configuration parsing, when SSL_CTX is created. All workers
inherit the same configuration from master during fork(), and
hence will have identical ticket keys.
More information about the nginx-devel