If we have multiple keyfiles - I like the idea of marking some key as default.
On Wed, Oct 2, 2013 at 12:47 PM, Piotr Sikora <pi...@cloudflare.com> wrote: > Hello Maxim, > > > As previously noted, the patch description is wrong. It also > > make sense to add some description of the directive added. > > Yeah, will do. > > > This makes the directive unavailable without any meaningfull > > diagnostics if nginx was build with old OpenSSL, which isn't very > > user-friendly. > > I'll fix that, it makes sense to be a bit more user-friendly :) > > > But actually I doubt we at all need an explicit mark for default > > key. Just using first one for encryption would probably be good > > enough. > > I tend to think that being overly explicit isn't always a bad thing. > In this particular case, users would need to know that the first key > on the list is "active/default" while the rest of them is just old > keys, which is an implementation detail and might not be obvious to > everybody. > > > I also think it would be better to don't rely on an explicitly > > written name, which will make automatic key rotation a pain - as > > one will have to update both name in a configuration file and a > > file with keys. E.g. Apache uses a binary file with 48 bytes of > > random data, which is much easier to generate and rotate if > > needed. > > The reason why I went with the key name in nginx.conf is because it > allows users to use a naming scheme for the keys (ex. YYYYMMDDHH, if > you rotate keys hourly, etc.) instead of random and meaningless names. > > Having said that, I don't mind pushing key name back to the file. > > > Not sure if this code should be here. Other file operations are > > handled in the ngx_event_openssl.c, and doing the same for session > > tickets might be a good idea as well. Especially if you'll > > consider adding relevant directives to the mail module. > > Sure, sounds reasonable. > > I'll send updated patch in a few days. > > Best regards, > Piotr Sikora > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel