Welcome! Log In Create A New Profile

Advanced

AW: RE: opinions about Session tickets

Lukas Tribus
March 28, 2017 07:54PM
> Each time i change the key file with a new key, is it necessary to run a
> "systemctl reload nginx" ? or do Something else.

Yes, afaik nginx requires a reload.

Haproxy can replace TLS tickets via admin socket [1] so a reload/restart is
not required, I'm not aware of similar nginx functionalities (but the reload
is less painless in nginx due to the master/worker concept).



> If reload is not necessary, would working with 3 files always called the
> same would be enough if i update the content with the new key ?
> Like move remove file3, cp file2 to file3, cp file1 to file2, generate new
> key in a new file1

No, that reload is necessary. Make sure you follow the advice in the doc
with multiple tickets, or actually, use the following approach:

ssl_session_ticket_key current.key;
ssl_session_ticket_key next.key;
ssl_session_ticket_key previous.key;

and something like this whenever you want to replace the tickets:
mv current.key previous.key
mv next.key current.key
"openssl rand 80 > next.key" (or rsyn to/from multiple servers)
/etc/init.d/nginx reload (or whatever the latest

That way, a new key will be distributed first, and only actively used for
encryption on the next reload, so regardless which server the client hits,
it always has an uptodate TLS ticket key, allowing decryption.


cheers,
lukas


[1] https://cbonte.github.io/haproxy-dconv/1.7/management.html#9.3-set%20ssl%20tls-key
[2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

TLS/SSL Cache Automatic Purge

Arnaud Van der Vorst April 11, 2016 04:42AM

Re: TLS/SSL Cache Automatic Purge

B.R. April 11, 2016 07:26AM

RE: TLS/SSL Cache Automatic Purge

Arnaud Van der Vorst April 11, 2016 08:24AM

Re: TLS/SSL Cache Automatic Purge

Maxim Dounin April 11, 2016 09:32AM

opinions about Session tickets

A. Schulze April 11, 2016 11:18AM

RE: opinions about Session tickets

Arnaud Van der Vorst April 12, 2016 02:34AM

AW: RE: opinions about Session tickets

Lukas Tribus March 28, 2017 07:54PM

RE: opinions about Session tickets

Lukas Tribus April 12, 2016 05:18AM

Re: RE: opinions about Session tickets

alweiss March 28, 2017 04:42PM

Re: TLS/SSL Cache Automatic Purge

B.R. April 11, 2016 04:18PM

RE: TLS/SSL Cache Automatic Purge

Arnaud Van der Vorst April 12, 2016 02:32AM

RE: TLS/SSL Cache Automatic Purge

Lukas Tribus April 12, 2016 05:24AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 215
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready