Welcome! Log In Create A New Profile

Re: Distributed SSL session cache

Forum List Message List New Topic Print View

Maxim Dounin

September 30, 2013 02:02PM

Hello!

On Mon, Sep 30, 2013 at 08:15:34PM +0400, kyprizel wrote:

> $ openssl rand -base64 48 | awk '{print "-----BEGIN SESSION TICKET
> KEY-----"; print; print "-----END SESSION TICKET KEY-----"}' >>
> ticket.key.new && cat ticket.key | awk 'sa==1{n++;sa=1}/-----BEGIN SESSION
> TICKET KEY-----/{sa=1;X=2}{if(n<3*X){print;}}' >> ticket.key.new && mv
> ticket.key.new ticket.key
>
> store not more than X=2 old keys + new one, you can add it to cron file.
>
> I know it's weird to use awk, but I only try to illustrate that it's not a
> big problem to rotate keys with my schema ;)

While it's not a big problem, it's certainly not something
trivial.

> But you can' rotate keys with
> oneliner if you use "one key per file schema" - there'll be too big
> probability of mistake during nginx config parsing.

Huh? Even trivial

$ mv key.new key.old && openssl rand 48 > key.new

would be fine as in a worst case a new configuration will just
fail to load. And

$ cp key.new key.old.tmp && mv key.old.tmp key.old \
&& openssl rand 48 > key.new.tmp && mv key.new.tmp key.new

is atomic.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
Distributed SSL session cache	kyprizel	2234	September 14, 2013 06:54AM
Re: Distributed SSL session cache	kyprizel	1320	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Piotr Sikora	1175	September 16, 2013 04:32AM
Re: Distributed SSL session cache	kyprizel	959	September 16, 2013 05:04AM
Re: Distributed SSL session cache	Piotr Sikora	898	September 16, 2013 05:14AM
Re: Distributed SSL session cache	Maxim Dounin	910	September 16, 2013 07:56AM
Re: Distributed SSL session cache	Maxim Dounin	810	September 16, 2013 03:16AM
Re: Distributed SSL session cache	nginxorg	1232	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Maxim Dounin	811	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Daniel Black	820	September 16, 2013 09:00AM
Re: Distributed SSL session cache	Daniel Black	773	September 16, 2013 09:22AM
Re: Distributed SSL session cache	Maxim Dounin	1222	September 16, 2013 09:38AM
Re: Distributed SSL session cache	kyprizel	889	September 27, 2013 11:54PM
Re: Distributed SSL session cache	Piotr Sikora	863	September 28, 2013 06:06AM
Re: Distributed SSL session cache	kyprizel	818	September 28, 2013 01:54PM
Re: Distributed SSL session cache	Piotr Sikora	833	September 28, 2013 02:16PM
Re: Distributed SSL session cache	kyprizel	826	September 28, 2013 02:38PM
Re: Distributed SSL session cache	Maxim Dounin	785	September 30, 2013 10:52AM
Re: Distributed SSL session cache	kyprizel	850	September 30, 2013 11:16AM
Re: Distributed SSL session cache	Maxim Dounin	811	September 30, 2013 11:32AM
Re: Distributed SSL session cache	kyprizel	863	September 30, 2013 12:16PM
Re: Distributed SSL session cache	Maxim Dounin	798	September 30, 2013 02:02PM
Re: Distributed SSL session cache	kyprizel	884	October 01, 2013 09:38AM
Re: Distributed SSL session cache	Maxim Dounin	916	October 02, 2013 06:40AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 160

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018