Distributed SSL session cache

Maxim Dounin mdounin at mdounin.ru
Mon Sep 30 18:00:14 UTC 2013


Hello!

On Mon, Sep 30, 2013 at 08:15:34PM +0400, kyprizel wrote:

> $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
> KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
> ticket.key.new && cat ticket.key | awk 'sa==1{n++;sa=1}/-----BEGIN SESSION
> TICKET KEY-----/{sa=1;X=2}{if(n<3*X){print;}}' >> ticket.key.new && mv
> ticket.key.new ticket.key
> 
> store not more than X=2 old keys + new one, you can add it to cron file.
> 
> I know it's weird to use awk, but I only try to illustrate that it's not a
> big problem to rotate keys with my schema ;)

While it's not a big problem, it's certainly not something 
trivial.

> But you can' rotate keys with
> oneliner if you use "one key per file schema" - there'll be too big
> probability of mistake during nginx config parsing.

Huh?  Even trivial

$ mv key.new key.old && openssl rand 48 > key.new

would be fine as in a worst case a new configuration will just 
fail to load.  And

$ cp key.new key.old.tmp && mv key.old.tmp key.old \
    && openssl rand 48 > key.new.tmp && mv key.new.tmp key.new

is atomic.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list