Distributed SSL session cache

kyprizel kyprizel at gmail.com
Sat Sep 28 18:37:39 UTC 2013


On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <piotr at cloudflare.com> wrote:

> Hi,
>
> > My patch was designed not to use multiple keyfiles and keynames in nginx
> > config so it's able to rotate keys with simple logic, only updating
> keyfile.
>
> IMHO, that makes the key rollover much harder than it should be, that
> is: you need to regenerate keyfile with number of older keys + new one
> vs just add new key (and optionally remove some of the old ones).
>
>
That depends on key distribution scheme - you can distribute only new keys
and store old keys on nginx server only.
But with your patch you should also rotate "default" key in nginx config
and it complicates the logic (in my schema) a bit.
Anyway - I'm not sure if keyname is meaningful parameter in periodic key
rotation scheme. For me - it is not.



> Best regards,
> Piotr Sikora
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130928/9217f1e7/attachment.html>


More information about the nginx-devel mailing list