Hello! On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote:
> On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <[email protected]> wrote: > > > Hi, > > > > > My patch was designed not to use multiple keyfiles and keynames in nginx > > > config so it's able to rotate keys with simple logic, only updating > > keyfile. > > > > IMHO, that makes the key rollover much harder than it should be, that > > is: you need to regenerate keyfile with number of older keys + new one > > vs just add new key (and optionally remove some of the old ones). > > > > > That depends on key distribution scheme - you can distribute only new keys > and store old keys on nginx server only. > But with your patch you should also rotate "default" key in nginx config > and it complicates the logic (in my schema) a bit. > Anyway - I'm not sure if keyname is meaningful parameter in periodic key > rotation scheme. For me - it is not. I agree that logic suggested by Piotr looks a bit too complicated. On the other hand, the one in your patch doesn't looks easy for automation as well. I don't think it would be trivial to generate keys in PEM format (feel free to prove I'm wrong), and rotate them once they are in a single file. BTW, just in case somebody haven't seen this before, here is a link for relevant Apache directive which uses 48-byte binary file: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessionticketkeyfile -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
