On Thu, Sep 16, 2021 at 08:11:44AM +0530, Jaya Muthiah wrote:
> I am trying to get the remaining lifetime of the ticket so that server can
> decide to renew ticket or not
In Postfix, I rotate ticket keys every hour, and sessions are valid for
two hours. For the first hour when they were issued by the current
ticket the ticket is accepted without forcing a new ticket to be
generated. Durign the second hour when accepting tickets signed by
the previous key, a fresh ticket is generated.
I don't rely on OpenSSL to tell me the ticket age, it is implied by
the key id.
Since ticket keys should be rotated anyway, something like that might
also work for you.
What I haven't yet built is a mechanism to rotate keys consistely across
multiple machines in a load-balancer pool. That would be generally
useful.
--
Viktor.
