Distributed SSL session cache

kyprizel kyprizel at gmail.com
Tue Oct 1 13:37:34 UTC 2013


Ok, I don't insist - I just need the functionality. What should I do to get
my patch accepted? :)

1. Store key as bin
2. Separate files

On Mon, Sep 30, 2013 at 10:00 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, Sep 30, 2013 at 08:15:34PM +0400, kyprizel wrote:
>
> > $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
> > KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
> > ticket.key.new && cat ticket.key | awk 'sa==1{n++;sa=1}/-----BEGIN
> SESSION
> > TICKET KEY-----/{sa=1;X=2}{if(n<3*X){print;}}' >> ticket.key.new && mv
> > ticket.key.new ticket.key
> >
> > store not more than X=2 old keys + new one, you can add it to cron file.
> >
> > I know it's weird to use awk, but I only try to illustrate that it's not
> a
> > big problem to rotate keys with my schema ;)
>
> While it's not a big problem, it's certainly not something
> trivial.
>
> > But you can' rotate keys with
> > oneliner if you use "one key per file schema" - there'll be too big
> > probability of mistake during nginx config parsing.
>
> Huh?  Even trivial
>
> $ mv key.new key.old && openssl rand 48 > key.new
>
> would be fine as in a worst case a new configuration will just
> fail to load.  And
>
> $ cp key.new key.old.tmp && mv key.old.tmp key.old \
>     && openssl rand 48 > key.new.tmp && mv key.new.tmp key.new
>
> is atomic.
>
> --
> Maxim Dounin
> http://nginx.org/en/donation.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20131001/125a2630/attachment.html>


More information about the nginx-devel mailing list