NGINX SSL Session Ticket Key
Maxim Dounin
mdounin at mdounin.ru
Tue Feb 25 16:52:00 UTC 2014
Hello!
On Tue, Feb 25, 2014 at 08:23:55PM +0400, ZNV wrote:
> Hi!
>
> Recently nginx implemented support for ssl_session_ticket_key allowing
> to setup key(s) for SSL tickets encryption explicitly. This is usefull when
> multiple nginx servers must share the same set of keys in order for any
> server to accept tickets issued by any other server.
>
> The key file is an opaque 48 byte long blob. Internally this data is
> partitioned
> as follows (ngx_ssl_ticket_session_keys, ngx_event_openssl.c):
>
> a key name (16 bytes)
> encryption key (16 bytes)
> hmac key (16 bytes)
>
> Without nginx customization OpenSSL partitions the key data another
> way (ssl3_ctx_ctrl in openssl):
>
> a key name (16 bytes)
> hmac key (16 bytes)
> encryption key (16 bytes)
>
> This creates a certain compatibility issue. Though I didn't verify it
> presumably Apache's mod_ssl isn't going to understand nginx
> SSL session tickets even though both servers are using OpenSSL.
>
> I think it would be better if nginx didn't invent its own ticket key
> format but use the format defined by OpenSSL instead.
The format is "48 bytes of random data", and I don't think that
compatibility with other software is something to be considered
here. Ticket keys are to be used between multiple nginx
instances, nothing more.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list