It's quite annoying that this isn't built-in to nginx:
github.com/GrapheneOS/ngi
It should rotate the TLS ticket keys like Caddy. It's similarly to how you need to handle OCSP with an external script for nginx in order to make it work reliably. It could easily do it internally.
Conversation
You still need to handle it externally in order to sync them to across multiple servers providing the same service. It shouldn't be necessary for the common case.
github.com/tomwassenberg/ is what's needed for implementing OCSP stapling reliably. Could be so much simpler in nginx.
1
Caddy is the only option handling either of these things properly. It doesn't work for our use cases though. If you have simpler needs then that's a good way to avoid dealing with this kind of nonsense yourself.
TLS 1.3 makes the ticket situation better but it's still a problem.
Replying to
I'm at least happy that the "minimal configuration" of Caddy makes it easy to do tickets properly. I think nginx and others need to change their defaults with an easy flag to revert if needed instead of just being afraid to change any defaults.
1
Replying to
Caddy deals with OCSP stapling properly too.
I don't think the nginx developers are afraid to change defaults but rather they're satisfied with having a way to do it externally.
The nginx core code and particularly TLS also don't really seem to be their priorities right now.
1
2
Show replies
Replying to
/dev/urandom doesn't wait for the CSPRNG to be properly initialized in early boot.
/dev/random was fixed in Linux 5.6 but this code needs to work properly on older kernels.
I can't call getrandom(...) from Bash directly. OpenSSL seeds their CSPRNG with it so that works fine.
1
Replying to
Most of the stuff we need is already filed as feature requests. It's definitely a lot closer to providing everything we need these days.
We'd also need to check out how well it holds up to nginx in terms of resistance to denial of services attacks, which have been a major issue.
2
1
Show replies