On Thu, Aug 6, 2015 at 10:08 AM, James Peach <jpe...@apache.org> wrote:
> > > On Aug 6, 2015, at 9:56 AM, Leif Hedstrom <zw...@apache.org> wrote: > > > > > >> On Aug 5, 2015, at 10:16 AM, James Peach <jpe...@apache.org> wrote: > >> > >> > >>> On Aug 5, 2015, at 8:22 AM, Susan Hinrichs < > shinr...@network-geographics.com> wrote: > >>> > >>> I would argue that the specification of the session ticket key in the > ssl_multicert.config file is inappropriate at least as the primary > mechanism. It seems that for the common case, you don't need to use > different session keys for different domains. You could specify one key > file set in records.config. > >> > >> Yes, I think this is a promising approach. > > > > > > I like that too. I don’t know how easily this can be done as an > overridable configuration, without introducing a lot of additional > complexity (remember, the HttpSM needs to generally be available for you to > use overridable configs). > > You can't override this at the HTTP layer since you already had to deal > with session tickets when you terminated the TLS session. > > > If it can’t be overridable, would it make sense to have an API as well > for this? Such that a plugin can set the session keys, which would then let > you manage the rotation in any way that you seem fit. > > It would be great to have more flexibility in TLS. As I may have implied > before, I think ssl_multicert.config is stretching the limits of what it > can reasonably express :) > I very much agree with this! > J -- Bret Palsson | https://cobook.co/bretep
