Nginx has a patch to store them in memcache, for what it's worth. It's far from ideal, but at least it's not persistent storage.
The standard is still to point clients to a single termination endpoint, and do active/passive cluster, so that there's no need to share the session tickets.
I still believe that using PFS, even with this limitation, is safer than encrypting pre-master keys with a single private key that almost never rotates and is stored on plenty of servers.
>> I still believe that using PFS, even with this limitation, is safer ...
I definitely agree, the problem is that usually there is more than 1 web server :-)
>> The standard is still to point clients to a single termination endpoint, and do active/passive cluster, so that there's no need to share the session tickets.
Sorry, I did not understand (esp. the active/passive cluster thing) - could you please may be add some pointers (blog post, etc) with more details?
That's a good point about master keys. The state is pretty bad with Apache for example, and I'm not sure its much better with nginx at least by default.
I think that what he means is that you terminate SSL on the load balancers (= single termination endpoint), then have your cluster beneath it (non-SSL/TLS, or new SSL/TLS connection, thus different tickets)
I still believe that using PFS, even with this limitation, is safer than encrypting pre-master keys with a single private key that almost never rotates and is stored on plenty of servers.