Welcome! Log In Create A New Profile

Re: Distributed SSL session cache

Forum List Message List New Topic Print View

kyprizel

September 30, 2013 12:16PM

$ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
ticket.key.new && cat ticket.key | awk 'sa==1{n++;sa=1}/-----BEGIN SESSION
TICKET KEY-----/{sa=1;X=2}{if(n<3*X){print;}}' >> ticket.key.new && mv
ticket.key.new ticket.key

store not more than X=2 old keys + new one, you can add it to cron file.

I know it's weird to use awk, but I only try to illustrate that it's not a
big problem to rotate keys with my schema ;) But you can' rotate keys with
oneliner if you use "one key per file schema" - there'll be too big
probability of mistake during nginx config parsing.

On Mon, Sep 30, 2013 at 7:31 PM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Mon, Sep 30, 2013 at 07:14:59PM +0400, kyprizel wrote:
>
> > $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
> > KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
> > ticket.key.new && cat ticket.key >> ticket.key.new && mv ticket.key.new
> > ticket.key
> >
> > There is no difference b/w binary and PEM form here, but I prefer to see
> > config files in printable characters.
>
> I would prefer printable configs as well. But I don't really
> think that adding PEM header/footer with awk counts as a trivial
> way to do things. It's not something an ordinary admin can do
> with at least 50% chance of getting a correct result for the first
> time.
>
> And, BTW, your key rotation lacks removing of an old key, which
> makes it unusable. Correct implementation will require keeping
> each key in it's own file - which essentially makes "single file
> per key" aproach more natural.
>
> --
> Maxim Dounin
> http://nginx.org/en/donation.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
Distributed SSL session cache	kyprizel	2228	September 14, 2013 06:54AM
Re: Distributed SSL session cache	kyprizel	1315	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Piotr Sikora	1168	September 16, 2013 04:32AM
Re: Distributed SSL session cache	kyprizel	952	September 16, 2013 05:04AM
Re: Distributed SSL session cache	Piotr Sikora	891	September 16, 2013 05:14AM
Re: Distributed SSL session cache	Maxim Dounin	903	September 16, 2013 07:56AM
Re: Distributed SSL session cache	Maxim Dounin	805	September 16, 2013 03:16AM
Re: Distributed SSL session cache	nginxorg	1223	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Maxim Dounin	804	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Daniel Black	813	September 16, 2013 09:00AM
Re: Distributed SSL session cache	Daniel Black	768	September 16, 2013 09:22AM
Re: Distributed SSL session cache	Maxim Dounin	1216	September 16, 2013 09:38AM
Re: Distributed SSL session cache	kyprizel	883	September 27, 2013 11:54PM
Re: Distributed SSL session cache	Piotr Sikora	857	September 28, 2013 06:06AM
Re: Distributed SSL session cache	kyprizel	812	September 28, 2013 01:54PM
Re: Distributed SSL session cache	Piotr Sikora	828	September 28, 2013 02:16PM
Re: Distributed SSL session cache	kyprizel	820	September 28, 2013 02:38PM
Re: Distributed SSL session cache	Maxim Dounin	778	September 30, 2013 10:52AM
Re: Distributed SSL session cache	kyprizel	841	September 30, 2013 11:16AM
Re: Distributed SSL session cache	Maxim Dounin	808	September 30, 2013 11:32AM
Re: Distributed SSL session cache	kyprizel	861	September 30, 2013 12:16PM
Re: Distributed SSL session cache	Maxim Dounin	794	September 30, 2013 02:02PM
Re: Distributed SSL session cache	kyprizel	878	October 01, 2013 09:38AM
Re: Distributed SSL session cache	Maxim Dounin	910	October 02, 2013 06:40AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 160

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018