On 30.09.2011 14:33, Paul Querna wrote: > On Fri, Sep 30, 2011 at 12:38 AM, Rainer Jung <[email protected]> wrote: >> On 30.09.2011 08:08, Paul Querna wrote: >>> Hiya,
>> So do we actually need to worry about the keys? > > If you don't set anything, OpenSSL randomly generates a key > per-SSL_CTX. This is useful in a single server environment, as it > generally "just works", and should be less load than using the normal > ssl session cache. > > The reason you would want to set the keys is so that you can have > multiple Apache instances terminating SSL. If they all use the same > certificate and ticket key, then you can essentially share SSL > Sessions between nodes without using a cache like memcached, by > relying upon the client to share state with the other SSL terminator. Ahh, right, I was actually thinking about a non SSL-sticky balanced farm, but didn't know how it would behave and forgot to write about it. Thanks for the info. That would definitely be a nice feature. Would it be safe to use a statically defined key? Only as long as the config file is safe? Regards, Rainer
