Hello and many thanks for your reply. On 10/10/2014 10:57 PM, Yichun Zhang (agentzh) wrote:
I came to the conclusion that this shouldn't even be in nginx core. OpenSSL should be updated. Of course a few nginx changes would come with that (exposing some configuration settings). There's more that's problematic with session tickets in OpenSSL: only AES128-CBC-SHA256 while ignoring chosen cipher. Let's hope that some OpenSSL / C crack will update that at some point in the future. Luckily we have now a few forks and ReSSL might be just the project that brings us a real interface to work against.Hello!Fortunately this does not have to be in the nginx core :)
I'm currently working on a solution that only relies on a POSIX compatible shell interpreter without any additions to nginx. The only requirement is version 1.5.7 (which you have as well).We're using the ngx_lua module [1] to periodically update the session ticket keys from external shared data services (like memcached). To be more specific, we're using ngx_lua's init_worker_by_lua [2] to create a re-occurring timer (via ngx.timer.at [3]) and fetch a new ticket key from external data sources via the nonblocking lua-resty-memcached library [4] and add that into the existing queue used by OpenSSL via LuaJIT FFI [5]. Also, we use the lua_shared_dict [6] to reduce traffic to the external data source online. No patches are needed for the nginx core :) In this "add-on" implementation, the ticket keys are also shared across all our machines. Best regards, -agentzh [1] https://github.com/openresty/lua-nginx-module [2] https://github.com/openresty/lua-nginx-module#init_worker_by_lua [3] https://github.com/openresty/lua-nginx-module#ngxtimerat [4] https://github.com/openresty/lua-resty-memcached [5] http://luajit.org/ext_ffi.html [6] https://github.com/openresty/lua-nginx-module#lua_shared_dict
https://github.com/Fleshgrinder/nginx-session-ticket-key-rotationIt's work in progress right now and will only be Debian / Ubuntu compatible when it's finished. I'll also integrate syncing in clusters and compatibility with other operating systems if I find the time.
@anyone If you have the time to review my work and approach, please do so. I'd love feedback!
Regards Richard PS: You should open source your solution. :)
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
