Opened 12 years ago
Last modified 10 years ago
#339 new enhancement
Share SSL session cache between servers?
Reported by: | andersk | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
davidben points out that our servers can’t share SSL session caches with each other. Apparently you can do this with SSLSessionTicketKeyFile in 2.4, or perhaps using distcache in 2.2?
Note: See
TracTickets for help on using
tickets.
We have SSLSessionTicketKeyFile now, but it's important that we don't botch PFS by storing it on disk or by never changing that key. Twitter has a good overview of their solution that we can copy features from.
One problem with syncing keys is that distributed systems suck and changing keys for every server at once isn't feasible. The other problem is that we don't want to invalidate client sessions every time we roll the ticket key. So we need to keep at least a few ticket keys around.
Summarizing some zephyr discussion, here's a possible route: