On Tue, Mar 22, 2016 at 4:18 PM, Paul Querna <p...@querna.org> wrote: > My thought was to add support for either multiple files, or multiple values > in the existing `SSLSessionTicketKeyFile`. Then add support to decrypt from > any of the known keys, and have a setting (or the first loaded key) would be > used to encrypt all new keys. This would allow for rotation in a reasonable > manner.
That's indeed a great improvement on what we have now, and actually looks like you first introduced it in r1200040 :) Why was it not kept that way? We'll still need a (graceful) restart to renew the keys, though. Also, it seems there is interest in sharing the keys accross different instances/machines, is a file (unless on something like an NFS mount) an option here?
