httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: TLS session ticket key (shared) renewal
Date Tue, 22 Mar 2016 22:32:10 GMT
On Tue, Mar 22, 2016 at 4:18 PM, Paul Querna <paul@querna.org> wrote:
> My thought was to add support for either multiple files, or multiple values
> in the existing `SSLSessionTicketKeyFile`.  Then add support to decrypt from
> any of the known keys, and have a setting (or the first loaded key) would be
> used to encrypt all new keys.  This would allow for rotation in a reasonable
> manner.

That's indeed a great improvement on what we have now, and actually
looks like you first introduced it in r1200040 :)
Why was it not kept that way?

We'll still need a (graceful) restart to renew the keys, though.

Also, it seems there is interest in sharing the keys accross different
instances/machines, is a file (unless on something like an NFS mount)
an option here?

Mime
View raw message