Hello!

On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote:

> On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <piotr@cloudflare.com> wrote:
>
> > Hi,
> >
> > > My patch was designed not to use multiple keyfiles and keynames in nginx
> > > config so it's able to rotate keys with simple logic, only updating
> > keyfile.
> >
> > IMHO, that makes the key rollover much harder than it should be, that
> > is: you need to regenerate keyfile with number of older keys + new one
> > vs just add new key (and optionally remove some of the old ones).
> >
> >
> That depends on key distribution scheme - you can distribute only new keys
> and store old keys on nginx server only.
> But with your patch you should also rotate "default" key in nginx config
> and it complicates the logic (in my schema) a bit.
> Anyway - I'm not sure if keyname is meaningful parameter in periodic key
> rotation scheme. For me - it is not.

I agree that logic suggested by Piotr looks a bit too complicated.
On the other hand, the one in your patch doesn't looks easy for
automation as well. I don't think it would be trivial to generate
keys in PEM format (feel free to prove I'm wrong), and rotate them
once they are in a single file.

BTW, just in case somebody haven't seen this before, here is a
link for relevant Apache directive which uses 48-byte binary file:

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessionticketkeyfile

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel