Distributed SSL session cache

Maxim Dounin mdounin at mdounin.ru
Mon Sep 30 15:31:36 UTC 2013


Hello!

On Mon, Sep 30, 2013 at 07:14:59PM +0400, kyprizel wrote:

> $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
> KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
> ticket.key.new && cat ticket.key >> ticket.key.new && mv ticket.key.new
> ticket.key
> 
> There is no difference b/w binary and PEM form here, but I prefer to see
> config files in printable characters.

I would prefer printable configs as well.  But I don't really 
think that adding PEM header/footer with awk counts as a trivial 
way to do things.  It's not something an ordinary admin can do 
with at least 50% chance of getting a correct result for the first 
time.

And, BTW, your key rotation lacks removing of an old key, which 
makes it unusable.  Correct implementation will require keeping 
each key in it's own file - which essentially makes "single file 
per key" aproach more natural.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list