❦ 24 février 2015 15:17 +0100, Nenad Merdanovic <nmer...@anine.io> :
> +tls-ticket-keys <keyfile> > + Sets the TLS ticket keys file to load the keys from. The keys need to be 48 > + bytes long, encoded with base64 (ex. openssl rand -base64 48). Number of > keys > + is specified by the TLS_TICKETS_NO build option (default 3) and at least as > + many keys need to be present in the file. Last TLS_TICKETS_NO keys will be > + used for decryption and only the last one for encryption. This enables easy > + key rotation by just appending new key to the file and reloading the > process. It would be nice to add a note that without proper rotation, PFS is compromised by the use of TLS tickets. People may not understand why they need to put 3 keys in this file and may never change them. Great feature! -- Don't over-comment. - The Elements of Programming Style (Kernighan & Plauger)