top | item 6553504

(no title)

daemon13 | 12 years ago

thank you for update

>> I still believe that using PFS, even with this limitation, is safer ...

I definitely agree, the problem is that usually there is more than 1 web server :-)

>> The standard is still to point clients to a single termination endpoint, and do active/passive cluster, so that there's no need to share the session tickets.

Sorry, I did not understand (esp. the active/passive cluster thing) - could you please may be add some pointers (blog post, etc) with more details?

discuss

zobzu|12 years ago

That's a good point about master keys. The state is pretty bad with Apache for example, and I'm not sure its much better with nginx at least by default.

I think that what he means is that you terminate SSL on the load balancers (= single termination endpoint), then have your cluster beneath it (non-SSL/TLS, or new SSL/TLS connection, thus different tickets)

daemon13|12 years ago

a-ha, got it, thanks :)

true, esp if use HaProxy as LB