On 24/02/2015 04:57 μμ, Nenad Merdanovic wrote: > Hello Vincent, Lucas > > On 2/24/2015 4:56 PM, Lukas Tribus wrote: >>> It would be nice to add a note that without proper rotation, PFS is >>> compromised by the use of TLS tickets. People may not understand why >>> they need to put 3 keys in this file and may never change them. >> >> Agreed, we have to clarify that a never changing tls-tickets-keys >> file is worse than no file at all. >> > > Done! I'll wait for more comments from ML before sending the updated patchset. >
-- Use stats socket to update the list without reload -- Update Session state at disconnection log schema to include something useful in case server receives a ticket which was encrypted with key that is not anymore in the list. Debugging SSL problems is a nightmare by definition and having a lot of debug information is very much appreciated by sysadmins -- Possible use peer logic to sync the list to others, tricky but it is required when you have several LBs, alternatively users can deploy the logic that twitter has used Excellent work guys, thank you. Pavlos
signature.asc
Description: OpenPGP digital signature
