My thought was to add support for either multiple files, or multiple values in the existing `SSLSessionTicketKeyFile`. Then add support to decrypt from any of the known keys, and have a setting (or the first loaded key) would be used to encrypt all new keys. This would allow for rotation in a reasonable manner.
On Fri, Mar 18, 2016 at 6:55 AM, Yann Ylavic <[email protected]> wrote: > Currently this can be done by using a (shared) SSLSessionTicketKeyFile > and gracefuly restarting httpd instances, but there is room for > improvements here. > > Thoughts? >
