$ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
ticket.key.new && cat ticket.key >> ticket.key.new && mv ticket.key.new
ticket.keyThere is no difference b/w binary and PEM form here, but I prefer to see config files in printable characters. On Mon, Sep 30, 2013 at 6:50 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote: > > > On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <[email protected]> > wrote: > > > > > Hi, > > > > > > > My patch was designed not to use multiple keyfiles and keynames in > nginx > > > > config so it's able to rotate keys with simple logic, only updating > > > keyfile. > > > > > > IMHO, that makes the key rollover much harder than it should be, that > > > is: you need to regenerate keyfile with number of older keys + new one > > > vs just add new key (and optionally remove some of the old ones). > > > > > > > > That depends on key distribution scheme - you can distribute only new > keys > > and store old keys on nginx server only. > > But with your patch you should also rotate "default" key in nginx config > > and it complicates the logic (in my schema) a bit. > > Anyway - I'm not sure if keyname is meaningful parameter in periodic key > > rotation scheme. For me - it is not. > > I agree that logic suggested by Piotr looks a bit too complicated. > On the other hand, the one in your patch doesn't looks easy for > automation as well. I don't think it would be trivial to generate > keys in PEM format (feel free to prove I'm wrong), and rotate them > once they are in a single file. > > BTW, just in case somebody haven't seen this before, here is a > link for relevant Apache directive which uses 48-byte binary file: > > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessionticketkeyfile > > -- > Maxim Dounin > http://nginx.org/en/donation.html > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
