Ok, I don't insist - I just need the functionality. What should I do to get my patch accepted? :)
1. Store key as bin 2. Separate files On Mon, Sep 30, 2013 at 10:00 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Mon, Sep 30, 2013 at 08:15:34PM +0400, kyprizel wrote: > > > $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET > > KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >> > > ticket.key.new && cat ticket.key | awk 'sa==1{n++;sa=1}/-----BEGIN > SESSION > > TICKET KEY-----/{sa=1;X=2}{if(n<3*X){print;}}' >> ticket.key.new && mv > > ticket.key.new ticket.key > > > > store not more than X=2 old keys + new one, you can add it to cron file. > > > > I know it's weird to use awk, but I only try to illustrate that it's not > a > > big problem to rotate keys with my schema ;) > > While it's not a big problem, it's certainly not something > trivial. > > > But you can' rotate keys with > > oneliner if you use "one key per file schema" - there'll be too big > > probability of mistake during nginx config parsing. > > Huh? Even trivial > > $ mv key.new key.old && openssl rand 48 > key.new > > would be fine as in a worst case a new configuration will just > fail to load. And > > $ cp key.new key.old.tmp && mv key.old.tmp key.old \ > && openssl rand 48 > key.new.tmp && mv key.new.tmp key.new > > is atomic. > > -- > Maxim Dounin > http://nginx.org/en/donation.html > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
