ssl_session_ticket_key

Syntax:	`ssl_session_ticket_key file;`
Default:	—
Context:	`mail`, `server`

This directive appeared in version 1.5.7.

Sets a file with the secret key used to encrypt and decrypt TLS session tickets. The directive is necessary if the same key has to be shared between multiple servers. By default, a randomly generated key is used.

If several keys are specified, only the first key is used to encrypt TLS session tickets. This allows configuring key rotation, for example:

ssl_session_ticket_key current.key;
ssl_session_ticket_key previous.key;

The file must contain 80 or 48 bytes of random data and can be created using the following command:

openssl rand 80 > ticket.key

Depending on the file size either AES256 (for 80-byte keys, 1.11.8) or AES128 (for 48-byte keys) is used for encryption.

Links:

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_session_ticket_key

doc_nginx

2017-02-09 07:09:32

Comments