NGINX SSL Session Ticket Key

ZNV mejedi at gmail.com
Tue Feb 25 16:23:55 UTC 2014


Hi!

Recently nginx implemented support for ssl_session_ticket_key allowing
to setup key(s) for SSL tickets encryption explicitly. This is usefull when
multiple nginx servers must share the same set of keys in order for any
server to accept tickets issued by any other server.

The key file is an opaque 48 byte long blob. Internally this data is
partitioned
as follows (ngx_ssl_ticket_session_keys, ngx_event_openssl.c):

a key name (16 bytes)
encryption key (16 bytes)
hmac key (16 bytes)

Without nginx customization OpenSSL partitions the key data another
way (ssl3_ctx_ctrl in openssl):

a key name (16 bytes)
hmac key (16 bytes)
encryption key (16 bytes)

This creates a certain compatibility issue. Though I didn't verify it
presumably Apache's mod_ssl isn't going to understand nginx
SSL session tickets even though both servers are using OpenSSL.

I think it would be better if nginx didn't invent its own ticket key
format but use the format defined by OpenSSL instead.

Best Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140225/98576ab6/attachment.html>


More information about the nginx mailing list