> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> wrote: > > >> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs >> <shinr...@network-geographics.com> wrote: >> >> I would argue that the specification of the session ticket key in the >> ssl_multicert.config file is inappropriate at least as the primary >> mechanism. It seems that for the common case, you don't need to use >> different session keys for different domains. You could specify one key >> file set in records.config. > > Yes, I think this is a promising approach.
I like that too. I don’t know how easily this can be done as an overridable configuration, without introducing a lot of additional complexity (remember, the HttpSM needs to generally be available for you to use overridable configs). If it can’t be overridable, would it make sense to have an API as well for this? Such that a plugin can set the session keys, which would then let you manage the rotation in any way that you seem fit. — leif
