Distributed SSL session cache
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 30 15:31:36 UTC 2013
Hello!
On Mon, Sep 30, 2013 at 07:14:59PM +0400, kyprizel wrote:
> $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
> KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
> ticket.key.new && cat ticket.key >> ticket.key.new && mv ticket.key.new
> ticket.key
>
> There is no difference b/w binary and PEM form here, but I prefer to see
> config files in printable characters.
I would prefer printable configs as well. But I don't really
think that adding PEM header/footer with awk counts as a trivial
way to do things. It's not something an ordinary admin can do
with at least 50% chance of getting a correct result for the first
time.
And, BTW, your key rotation lacks removing of an old key, which
makes it unusable. Correct implementation will require keeping
each key in it's own file - which essentially makes "single file
per key" aproach more natural.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list