Distributed SSL session cache

kyprizel kyprizel at gmail.com
Mon Sep 30 15:14:59 UTC 2013


$ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
ticket.key.new && cat ticket.key >> ticket.key.new && mv ticket.key.new
ticket.key

There is no difference b/w binary and PEM form here, but I prefer to see
config files in printable characters.


On Mon, Sep 30, 2013 at 6:50 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote:
>
> > On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <piotr at cloudflare.com>
> wrote:
> >
> > > Hi,
> > >
> > > > My patch was designed not to use multiple keyfiles and keynames in
> nginx
> > > > config so it's able to rotate keys with simple logic, only updating
> > > keyfile.
> > >
> > > IMHO, that makes the key rollover much harder than it should be, that
> > > is: you need to regenerate keyfile with number of older keys + new one
> > > vs just add new key (and optionally remove some of the old ones).
> > >
> > >
> > That depends on key distribution scheme - you can distribute only new
> keys
> > and store old keys on nginx server only.
> > But with your patch you should also rotate "default" key in nginx config
> > and it complicates the logic (in my schema) a bit.
> > Anyway - I'm not sure if keyname is meaningful parameter in periodic key
> > rotation scheme. For me - it is not.
>
> I agree that logic suggested by Piotr looks a bit too complicated.
> On the other hand, the one in your patch doesn't looks easy for
> automation as well.  I don't think it would be trivial to generate
> keys in PEM format (feel free to prove I'm wrong), and rotate them
> once they are in a single file.
>
> BTW, just in case somebody haven't seen this before, here is a
> link for relevant Apache directive which uses 48-byte binary file:
>
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessionticketkeyfile
>
> --
> Maxim Dounin
> http://nginx.org/en/donation.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130930/c9e00ac9/attachment.html>


More information about the nginx-devel mailing list