Changeset 8d0efdc in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jun 18, 2020, 4:57:32 PM (9 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, master
Children:
9a26df9
Parents:
8f000b7
Message:

Disable session tickets by default

After learning that the GnuTLS key "rotation" scheme never actually
changes the primary key I'm disabling session tickets by default,
because I cannot ensure everyone will reload their servers to replace
the keys. I hope to eventually implement a real key rotation and
enable tickets by default again.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r8f000b7 r8d0efdc  
    659659            sc->enabled = GNUTLS_ENABLED_FALSE;
    660660        if (sc->tickets == GNUTLS_ENABLED_UNSET)
    661         {
    662             /* GnuTLS 3.6.4 introduced automatic master key rotation */
    663             if (gnutls_check_version_numeric(3, 6, 4))
    664                 sc->tickets = GNUTLS_ENABLED_TRUE;
    665             else
    666                 sc->tickets = GNUTLS_ENABLED_FALSE;
    667         }
     661            sc->tickets = GNUTLS_ENABLED_FALSE;
    668662        if (sc->export_certificates_size < 0)
    669663            sc->export_certificates_size = 0;
Note: See TracChangeset for help on using the changeset viewer.