Hello Lukas,
On 2/25/2015 9:09 PM, Lukas Tribus wrote:
If a site has N haproxy hosts, how should new ticket-keys be
distributed (and processes reloaded) and avoid the race condition of
some hosts using the new keys before those keys are on all hosts?
You distribute the new key to all instances for decryption, but use
the penultimate key for encryption instead of the ultimate key:
https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/
Currently there is no choice about which key to use, so maybe we should
just default to the penultimate?
Regards,
Nenad
