Distributed SSL session cache
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 30 14:50:41 UTC 2013
Hello!
On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote:
> On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <piotr at cloudflare.com> wrote:
>
> > Hi,
> >
> > > My patch was designed not to use multiple keyfiles and keynames in nginx
> > > config so it's able to rotate keys with simple logic, only updating
> > keyfile.
> >
> > IMHO, that makes the key rollover much harder than it should be, that
> > is: you need to regenerate keyfile with number of older keys + new one
> > vs just add new key (and optionally remove some of the old ones).
> >
> >
> That depends on key distribution scheme - you can distribute only new keys
> and store old keys on nginx server only.
> But with your patch you should also rotate "default" key in nginx config
> and it complicates the logic (in my schema) a bit.
> Anyway - I'm not sure if keyname is meaningful parameter in periodic key
> rotation scheme. For me - it is not.
I agree that logic suggested by Piotr looks a bit too complicated.
On the other hand, the one in your patch doesn't looks easy for
automation as well. I don't think it would be trivial to generate
keys in PEM format (feel free to prove I'm wrong), and rotate them
once they are in a single file.
BTW, just in case somebody haven't seen this before, here is a
link for relevant Apache directive which uses 48-byte binary file:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessionticketkeyfile
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list