SSL: optimized rotation of session ticket keys.

Instead of syncing keys with shared memory on each ticket operation, the code now does this only when the worker is going to change expiration of the current key, or going to switch to a new key: that is, usually at most once per second. To do so without races, the code maintains 3 keys: current, previous, and next. If a worker will switch to the next key earlier, other workers will still be able to decrypt new tickets, since they will be encrypted with the next key.
author: Maxim Dounin <mdounin@mdounin.ru> 2022-10-12 20:14:55 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2022-10-12 20:14:55 +0300
commit: 02314f0c3c70bad88ae3554eb66439a261898f24 (patch)
tree: 9a901e57200675ed07b3d6f668cfa6b2fae689a2 /src/event/ngx_event_openssl.h
parent: 1d572e359a210dcb27e5e073c016c1768c435263 (diff)
download: nginx-02314f0c3c70bad88ae3554eb66439a261898f24.tar.gz
nginx-02314f0c3c70bad88ae3554eb66439a261898f24.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 45d8b78a7..88f91382d 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -160,7 +160,7 @@ typedef struct {
     ngx_rbtree_t                session_rbtree;
     ngx_rbtree_node_t           sentinel;
     ngx_queue_t                 expire_queue;
-    ngx_ssl_ticket_key_t        ticket_keys[2];
+    ngx_ssl_ticket_key_t        ticket_keys[3];
     time_t                      fail_time;
 } ngx_ssl_session_cache_t;
author	Maxim Dounin <mdounin@mdounin.ru>	2022-10-12 20:14:55 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2022-10-12 20:14:55 +0300
commit	02314f0c3c70bad88ae3554eb66439a261898f24 (patch)
tree	9a901e57200675ed07b3d6f668cfa6b2fae689a2 /src/event/ngx_event_openssl.h
parent	1d572e359a210dcb27e5e073c016c1768c435263 (diff)
download	nginx-02314f0c3c70bad88ae3554eb66439a261898f24.tar.gz nginx-02314f0c3c70bad88ae3554eb66439a261898f24.tar.bz2