Am Mittwoch, 21. August 2013, 12:37:53 schrieb Dr Stephen Henson: > > It would be desirable (perhaps) if we could rotate keys faster > > than once the server lifetime, but this is shared state across > > the server so that is definitely non-trivial. > > > > > > Yes you'd need a shared cache if the key couldn't be found locally > and renew it periodically. A bit like how OCSP stapling works IIRC.
>From the httpd code it is not obvious to me, so I ask: Is the current behavior to only generate the ticket key at server startup or is it regenerated at at every graceful restart? If the former, would changing the behavior to the latter make sense? That would give a key lifetime of 1 day for all setups that do logrotate with a graceful restart.
