Changeset e9ef72c in mod_gnutls for doc


Ignore:
Timestamp:
Jun 20, 2016, 2:51:01 PM (18 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
743e31f
Parents:
5a5032f
git-author:
Thomas Klute <thomas2.klute@…> (06/20/16 13:29:13)
git-committer:
Thomas Klute <thomas2.klute@…> (06/20/16 14:51:01)
Message:

Disable GnuTLSSessionTickets by default as described in handbook

The handbook clearly states that the default value for
GnuTLSSessionTickets is "off", but the actual setting in post config
was the opposite (which matched mod_ssl behavior). The code has been
changed to match documentation.

Additionally the handbook has been expanded regarding session ticket
use and security. The comment about the cache timeout being used for
session ticket expiration has been removed for being plainly wrong.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    r5a5032f re9ef72c  
    133133
    134134To avoid storing data for TLS session resumption it is allowed to
    135 provide client with a ticket, to use on return.  Use for servers with
    136 limited storage, and don't combine with GnuTLSCache. For a pool of
    137 servers this option is not recommended since the tickets are unique
    138 for the issuing server only.
    139 
     135provide client with a ticket, to use on return. Tickets are an
     136alternative to using a session cache, mostly used for busy servers
     137with limited storage. For a pool of servers this option is not
     138recommended since the tickets are bound to the issuing server only.
     139
     140If this option is set in the global configuration, virtual hosts
     141without a `GnuTLSSessionTickets` setting will use the global setting.
     142
     143*Warning:* Currently the master key that protects the tickets is
     144generated only on server start, and there is no mechanism to roll over
     145the key. If session tickets are enabled it is highly recommened to
     146restart the server regularly to protect past sessions in case an
     147attacker gains access to server memory.
    140148
    141149`GnuTLSCertificateFile`
     
    685693     # This could also be 'Listen *:443',
    686694     # just like '*:80' is common for non-https
    687      # No caching. Enable session tickets. Timeout is still used for
    688      # ticket expiration.
    689      GnuTLSCacheTimeout 600
    690695     # This tells apache, that for this IP/Port combination, we want to use
    691696     # Name Based Virtual Hosting. In the case of Server Name Indication,
Note: See TracChangeset for help on using the changeset viewer.