[PATCH] SSL: added support for TLS Session Tickets (RFC5077).

kyprizel kyprizel at gmail.com
Wed Oct 2 15:19:21 UTC 2013


If we have multiple keyfiles - I like the idea of marking some key as
default.


On Wed, Oct 2, 2013 at 12:47 PM, Piotr Sikora <piotr at cloudflare.com> wrote:

> Hello Maxim,
>
> > As previously noted, the patch description is wrong.  It also
> > make sense to add some description of the directive added.
>
> Yeah, will do.
>
> > This makes the directive unavailable without any meaningfull
> > diagnostics if nginx was build with old OpenSSL, which isn't very
> > user-friendly.
>
> I'll fix that, it makes sense to be a bit more user-friendly :)
>
> > But actually I doubt we at all need an explicit mark for default
> > key.  Just using first one for encryption would probably be good
> > enough.
>
> I tend to think that being overly explicit isn't always a bad thing.
> In this particular case, users would need to know that the first key
> on the list is "active/default" while the rest of them is just old
> keys, which is an implementation detail and might not be obvious to
> everybody.
>
> > I also think it would be better to don't rely on an explicitly
> > written name, which will make automatic key rotation a pain - as
> > one will have to update both name in a configuration file and a
> > file with keys.   E.g. Apache uses a binary file with 48 bytes of
> > random data, which is much easier to generate and rotate if
> > needed.
>
> The reason why I went with the key name in nginx.conf is because it
> allows users to use a naming scheme for the keys (ex. YYYYMMDDHH, if
> you rotate keys hourly, etc.) instead of random and meaningless names.
>
> Having said that, I don't mind pushing key name back to the file.
>
> > Not sure if this code should be here.  Other file operations are
> > handled in the ngx_event_openssl.c, and doing the same for session
> > tickets might be a good idea as well.  Especially if you'll
> > consider adding relevant directives to the mail module.
>
> Sure, sounds reasonable.
>
> I'll send updated patch in a few days.
>
> Best regards,
> Piotr Sikora
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20131002/532c7395/attachment.html>


More information about the nginx-devel mailing list