[PATCH] SSL: added support for TLS Session Tickets (RFC5077).

Piotr Sikora piotr at cloudflare.com
Wed Oct 2 08:47:10 UTC 2013


Hello Maxim,

> As previously noted, the patch description is wrong.  It also
> make sense to add some description of the directive added.

Yeah, will do.

> This makes the directive unavailable without any meaningfull
> diagnostics if nginx was build with old OpenSSL, which isn't very
> user-friendly.

I'll fix that, it makes sense to be a bit more user-friendly :)

> But actually I doubt we at all need an explicit mark for default
> key.  Just using first one for encryption would probably be good
> enough.

I tend to think that being overly explicit isn't always a bad thing.
In this particular case, users would need to know that the first key
on the list is "active/default" while the rest of them is just old
keys, which is an implementation detail and might not be obvious to
everybody.

> I also think it would be better to don't rely on an explicitly
> written name, which will make automatic key rotation a pain - as
> one will have to update both name in a configuration file and a
> file with keys.   E.g. Apache uses a binary file with 48 bytes of
> random data, which is much easier to generate and rotate if
> needed.

The reason why I went with the key name in nginx.conf is because it
allows users to use a naming scheme for the keys (ex. YYYYMMDDHH, if
you rotate keys hourly, etc.) instead of random and meaningless names.

Having said that, I don't mind pushing key name back to the file.

> Not sure if this code should be here.  Other file operations are
> handled in the ngx_event_openssl.c, and doing the same for session
> tickets might be a good idea as well.  Especially if you'll
> consider adding relevant directives to the mail module.

Sure, sounds reasonable.

I'll send updated patch in a few days.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list