On 01/09/2013 12:36, Stefan Fritsch wrote: > Am Mittwoch, 21. August 2013, 12:37:53 schrieb Dr Stephen Henson: >>> It would be desirable (perhaps) if we could rotate keys faster >>> than once the server lifetime, but this is shared state across >>> the server so that is definitely non-trivial. >>> >>> >> >> Yes you'd need a shared cache if the key couldn't be found locally >> and renew it periodically. A bit like how OCSP stapling works IIRC. > >>From the httpd code it is not obvious to me, so I ask: Is the current > behavior to only generate the ticket key at server startup or is it > regenerated at at every graceful restart? If the former, would > changing the behavior to the latter make sense? That would give a key > lifetime of 1 day for all setups that do logrotate with a graceful > restart. > >
By default OpenSSL will create one set of ticket keys per SSL_CTX, though they can be set or read by API calls. So if a graceful restart frees up and reallocates the SSL_CTX structure then you'll get new keys. I'm not sure it does. If SSLSessionTicketKeyFile is set then that is used instead though. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
