Conversation

It's quite annoying that this isn't built-in to nginx: github.com/GrapheneOS/ngi It should rotate the TLS ticket keys like Caddy. It's similarly to how you need to handle OCSP with an external script for nginx in order to make it work reliably. It could easily do it internally.

github.com

GitHub - GrapheneOS/nginx-rotate-session-ticket-keys: Session ticket key rotation scripting /...

Session ticket key rotation scripting / systemd units for nginx to work around the lack of built-in support. This may eventually be extended to support syncing keys across a group of servers provid...

Daniel Micay

@DanielMicay

You still need to handle it externally in order to sync them to across multiple servers providing the same service. It shouldn't be necessary for the common case. github.com/tomwassenberg/ is what's needed for implementing OCSP stapling reliably. Could be so much simpler in nginx.

8:09 PM · May 3, 2021Twitter Web App

Replying to

Caddy is the only option handling either of these things properly. It doesn't work for our use cases though. If you have simpler needs then that's a good way to avoid dealing with this kind of nonsense yourself. TLS 1.3 makes the ticket situation better but it's still a problem.