Hello! On Tue, Feb 25, 2014 at 08:23:55PM +0400, ZNV wrote:
> Hi! > > Recently nginx implemented support for ssl_session_ticket_key allowing > to setup key(s) for SSL tickets encryption explicitly. This is usefull when > multiple nginx servers must share the same set of keys in order for any > server to accept tickets issued by any other server. > > The key file is an opaque 48 byte long blob. Internally this data is > partitioned > as follows (ngx_ssl_ticket_session_keys, ngx_event_openssl.c): > > a key name (16 bytes) > encryption key (16 bytes) > hmac key (16 bytes) > > Without nginx customization OpenSSL partitions the key data another > way (ssl3_ctx_ctrl in openssl): > > a key name (16 bytes) > hmac key (16 bytes) > encryption key (16 bytes) > > This creates a certain compatibility issue. Though I didn't verify it > presumably Apache's mod_ssl isn't going to understand nginx > SSL session tickets even though both servers are using OpenSSL. > > I think it would be better if nginx didn't invent its own ticket key > format but use the format defined by OpenSSL instead. The format is "48 bytes of random data", and I don't think that compatibility with other software is something to be considered here. Ticket keys are to be used between multiple nginx instances, nothing more. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
