> On Aug 6, 2015, at 9:56 AM, Leif Hedstrom <zw...@apache.org> wrote: > > >> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> wrote: >> >> >>> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs >>> <shinr...@network-geographics.com> wrote: >>> >>> I would argue that the specification of the session ticket key in the >>> ssl_multicert.config file is inappropriate at least as the primary >>> mechanism. It seems that for the common case, you don't need to use >>> different session keys for different domains. You could specify one key >>> file set in records.config. >> >> Yes, I think this is a promising approach. > > > I like that too. I don’t know how easily this can be done as an overridable > configuration, without introducing a lot of additional complexity (remember, > the HttpSM needs to generally be available for you to use overridable > configs).
You can't override this at the HTTP layer since you already had to deal with session tickets when you terminated the TLS session. > If it can’t be overridable, would it make sense to have an API as well for > this? Such that a plugin can set the session keys, which would then let you > manage the rotation in any way that you seem fit. It would be great to have more flexibility in TLS. As I may have implied before, I think ssl_multicert.config is stretching the limits of what it can reasonably express :) J
