Session Ticket Rotation

Maxim Dounin mdounin at
Thu Oct 9 11:53:58 UTC 2014


On Thu, Oct 09, 2014 at 10:36:10AM +0200, Richard Fussenegger, BSc wrote:

> Hello Maxim!
> On 9/22/2014 2:38 PM, Maxim Dounin wrote:
> >Hello!
> >
> >On Mon, Sep 22, 2014 at 01:39:43PM +0200, Richard Fussenegger, BSc wrote:
> >
> >The main problem here is how to share keys between worker
> >processes, to ensure different workers will be able to decrypt
> >tickets.  So automatic rotation of ticket keys will likely require
> >shared SSL session cache to be configured as well, and using a SSL
> >session cache to store ticket keys.
> Does this mean that a ticket key isn't shared among workers if one is using
> a single nginx instance with e.g. four workers? Or is the sharing of that
> ticket key handled by a single SSL_CTX in OpenSSL?

As of now, ticket keys are created (or read from files specified) during 
configuration parsing, when SSL_CTX is created.  All workers 
inherit the same configuration from master during fork(), and 
hence will have identical ticket keys.

Maxim Dounin

More information about the nginx-devel mailing list