AW: RE: opinions about Session tickets

Lukas Tribus luky-37 at
Tue Mar 28 23:53:35 UTC 2017

> Each time i change the key file with a new key, is it necessary to run a
> "systemctl reload nginx" ? or do Something else.

Yes, afaik nginx requires a reload.

Haproxy can replace TLS tickets via admin socket [1] so a reload/restart is
not required, I'm not aware of similar nginx functionalities (but the reload
is less painless in nginx due to the master/worker concept).

> If reload is not necessary, would working with 3 files always called the
> same would be enough if i update the content with the new key ?
> Like move remove file3, cp file2 to file3, cp file1 to file2, generate new
> key in a new file1

No, that reload is necessary. Make sure you follow the advice in the doc
with multiple tickets, or actually, use the following approach:

ssl_session_ticket_key current.key;
ssl_session_ticket_key next.key;
ssl_session_ticket_key previous.key;

and something like this whenever you want to replace the tickets:
mv current.key previous.key
mv next.key current.key
"openssl rand 80 > next.key" (or rsyn to/from multiple servers)
/etc/init.d/nginx reload (or whatever the latest 

That way, a new key will be distributed first, and only actively used for
encryption on the next reload, so regardless which server the client hits,
it always has an uptodate TLS ticket key, allowing decryption.



More information about the nginx mailing list