diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2019-10-09 19:38:26 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2019-10-09 19:38:26 -0600 |
commit | dedcfd4e3da1297cda2d09776e7c8135e0d960ce (patch) | |
tree | 96cc725c5c8ac246ba8df91e38b49e1bcfac8378 /cmd | |
parent | 20fe9cf024898c73725eab0d4306dfd3b6ccd6d8 (diff) |
tls: Add distributed_stek module
This migrates a feature that was previously reserved for enterprise
users, according to https://github.com/caddyserver/caddy/issues/2786.
TLS session ticket keys are sensitive, so they should be rotated on a
regular basis. Only Caddy does this by default. However, a cluster of
servers that rotate keys without synchronization will lose the benefits
of having sessions in the first place if the client is routed to a
different backend. This module coordinates STEK rotation in a fleet so
the same keys are used, and rotated, across the whole cluster. No other
server does this, but Twitter wrote about how they hacked together a
solution a few years ago:
https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html
Diffstat (limited to 'cmd')
0 files changed, 0 insertions, 0 deletions