Session Ticket Rotation

Richard Fussenegger, BSc richard at
Fri Oct 10 21:09:05 UTC 2014

Hello and many thanks for your reply.

On 10/10/2014 10:57 PM, Yichun Zhang (agentzh) wrote:
> Hello!
> Fortunately this does not have to be in the nginx core :)
I came to the conclusion that this shouldn't even be in nginx core. 
OpenSSL should be updated. Of course a few nginx changes would come with 
that (exposing some configuration settings). There's more that's 
problematic with session tickets in OpenSSL: only AES128-CBC-SHA256 
while ignoring chosen cipher. Let's hope that some OpenSSL / C crack 
will update that at some point in the future. Luckily we have now a few 
forks and ReSSL might be just the project that brings us a real 
interface to work against.

> We're using the ngx_lua module [1] to periodically update the session
> ticket keys from external shared data services (like memcached).
> To be more specific, we're using ngx_lua's init_worker_by_lua [2] to
> create a re-occurring timer (via [3]) and fetch a new
> ticket key from external data sources via the nonblocking
> lua-resty-memcached library [4] and add that into the existing queue
> used by OpenSSL via LuaJIT FFI [5].
> Also, we use the lua_shared_dict [6] to reduce traffic to the external
> data source online.
> No patches are needed for the nginx core :)
> In this "add-on" implementation, the ticket keys are also shared
> across all our machines.
> Best regards,
> -agentzh
> [1]
> [2]
> [3]
> [4]
> [5]
> [6]
I'm currently working on a solution that only relies on a POSIX 
compatible shell interpreter without any additions to nginx. The only 
requirement is version 1.5.7 (which you have as well).

It's work in progress right now and will only be Debian / Ubuntu 
compatible when it's finished. I'll also integrate syncing in clusters 
and compatibility with other operating systems if I find the time.

@anyone If you have the time to review my work and approach, please do 
so. I'd love feedback!

Regards Richard

PS: You should open source your solution. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4237 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the nginx-devel mailing list