proper setup for forward secrecy

eiji-gravion nginx-forum at
Fri Sep 21 21:22:14 UTC 2012

Maxim Dounin Wrote:
> Hello!
> On Tue, Sep 18, 2012 at 04:34:30AM -0400, eiji-gravion wrote:
> > Still curious about this, it would be nice to have a way to rotate
> these
> > keys without having to restart the server.
> Looking though OpenSSL code suggests keys are generated on SSL_CTX 
> creation (at least as of OpenSSL 1.0.1c, see SSL_CTX_new() in 
> ssl/ssl_lib.c), that is, they are rotated by nginx configuration 
> reload.
> Maxim Dounin
> _______________________________________________
> nginx mailing list
> nginx at
Is this all that can be done?

It just seems kind of hackish to need a cronjob set to do a configuration
reload to rotate these keys.

Would it be possible to have some type of configuration option that does
this without a total config reload? Perhaps even a user-defined rotation
time in minutes?

This seems like a pretty important thing to have, most people who are
running DH/ECDHE ciphersuites probably don't even realize that they aren't
really getting forward secrecy...


Posted at Nginx Forum:,229538,230927#msg-230927

More information about the nginx mailing list