Hi! Recently nginx implemented support for ssl_session_ticket_key allowing to setup key(s) for SSL tickets encryption explicitly. This is usefull when multiple nginx servers must share the same set of keys in order for any server to accept tickets issued by any other server.
The key file is an opaque 48 byte long blob. Internally this data is partitioned as follows (ngx_ssl_ticket_session_keys, ngx_event_openssl.c): a key name (16 bytes) encryption key (16 bytes) hmac key (16 bytes) Without nginx customization OpenSSL partitions the key data another way (ssl3_ctx_ctrl in openssl): a key name (16 bytes) hmac key (16 bytes) encryption key (16 bytes) This creates a certain compatibility issue. Though I didn't verify it presumably Apache's mod_ssl isn't going to understand nginx SSL session tickets even though both servers are using OpenSSL. I think it would be better if nginx didn't invent its own ticket key format but use the format defined by OpenSSL instead. Best Regards.
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
