Distributed SSL session cache

Maxim Dounin mdounin at mdounin.ru
Mon Sep 30 14:50:41 UTC 2013


Hello!

On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote:

> On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <piotr at cloudflare.com> wrote:
> 
> > Hi,
> >
> > > My patch was designed not to use multiple keyfiles and keynames in nginx
> > > config so it's able to rotate keys with simple logic, only updating
> > keyfile.
> >
> > IMHO, that makes the key rollover much harder than it should be, that
> > is: you need to regenerate keyfile with number of older keys + new one
> > vs just add new key (and optionally remove some of the old ones).
> >
> >
> That depends on key distribution scheme - you can distribute only new keys
> and store old keys on nginx server only.
> But with your patch you should also rotate "default" key in nginx config
> and it complicates the logic (in my schema) a bit.
> Anyway - I'm not sure if keyname is meaningful parameter in periodic key
> rotation scheme. For me - it is not.

I agree that logic suggested by Piotr looks a bit too complicated.  
On the other hand, the one in your patch doesn't looks easy for 
automation as well.  I don't think it would be trivial to generate 
keys in PEM format (feel free to prove I'm wrong), and rotate them 
once they are in a single file.

BTW, just in case somebody haven't seen this before, here is a 
link for relevant Apache directive which uses 48-byte binary file:

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessionticketkeyfile

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list