❦ 24 février 2015 15:17 +0100, Nenad Merdanovic <nmer...@anine.io> :
> +tls-ticket-keys <keyfile>
> + Sets the TLS ticket keys file to load the keys from. The keys need to be 48
> + bytes long, encoded with base64 (ex. openssl rand -base64 48). Number of
> keys
> + is specified by the TLS_TICKETS_NO build option (default 3) and at least as
> + many keys need to be present in the file. Last TLS_TICKETS_NO keys will be
> + used for decryption and only the last one for encryption. This enables easy
> + key rotation by just appending new key to the file and reloading the
> process.
It would be nice to add a note that without proper rotation, PFS is
compromised by the use of TLS tickets. People may not understand why
they need to put 3 keys in this file and may never change them.
Great feature!
--
Don't over-comment.
- The Elements of Programming Style (Kernighan & Plauger)
