On Mon, Aug 11, 2014 at 6:00 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > No, generally you re-use previously generated keys, otherwise you > lose much of the advantage of "stateless resumption". However, > along with each keyset you associated some suitable TTL, and you > stop signing new sessions with a keyset that is expiring, while > keeping it in memory long enough to decrypt any previously signed > sessions. > > So each keyset lives in memory for 2 * encryption-TTL, where the > encryption-TTL is also the maximum session lifetime, but is only > used to encrypt new sessions for 1 * encryption-TTL. This means > you only have 2 keysets in memory, the current and previous. >
I see, thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
