proper setup for forward secrecy
eiji-gravion
nginx-forum at nginx.us
Fri Sep 21 21:22:14 UTC 2012
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Tue, Sep 18, 2012 at 04:34:30AM -0400, eiji-gravion wrote:
>
> > Still curious about this, it would be nice to have a way to rotate
> these
> > keys without having to restart the server.
>
> Looking though OpenSSL code suggests keys are generated on SSL_CTX
> creation (at least as of OpenSSL 1.0.1c, see SSL_CTX_new() in
> ssl/ssl_lib.c), that is, they are rotated by nginx configuration
> reload.
>
> Maxim Dounin
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Is this all that can be done?
It just seems kind of hackish to need a cronjob set to do a configuration
reload to rotate these keys.
Would it be possible to have some type of configuration option that does
this without a total config reload? Perhaps even a user-defined rotation
time in minutes?
This seems like a pretty important thing to have, most people who are
running DH/ECDHE ciphersuites probably don't even realize that they aren't
really getting forward secrecy...
Thanks
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,229538,230927#msg-230927
More information about the nginx
mailing list