Changeset fdd3bf0 in mod_gnutls for doc/mod_gnutls_manual.mdwn


Ignore:
Timestamp:
Sep 30, 2018, 1:36:26 PM (14 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
bac1a32
Parents:
bd2b48b
git-author:
Fiona Klute <fiona.klute@…> (09/30/18 13:26:54)
git-committer:
Fiona Klute <fiona.klute@…> (09/30/18 13:36:26)
Message:

Enable session tickets by default if GnuTLS version >= 3.6.4

GnuTLS 3.6.4 introduced automatic master key rotation, and TLS 1.3
takes care of other reasons not to use tickets while requiring them
for session resumption.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • doc/mod_gnutls_manual.mdwn

    rbd2b48b rfdd3bf0  
    139139    GnuTLSSessionTickets [on|off]
    140140
    141 Default: `off`\
    142 Context: server config, virtual host
    143 
    144 To avoid storing data for TLS session resumption the server can
    145 provide clients with tickets, to use on return. Tickets are an
    146 alternative to using a session cache, mostly used for busy servers
    147 with limited storage. For a pool of servers this option is not
    148 recommended since the tickets are bound to the issuing server only.
     141Default: `on` with GnuTLS 3.6.4 and newer, `off` otherwise\
     142Context: server config, virtual host
     143
     144Session tickets allow TLS session resumption without session state
     145stored on the server, using encrypted tickets provided to the clients
     146instead. Tickets are an alternative to using a session cache, and
     147currently the only session resumption mechanism in TLS 1.3. For a pool
     148of servers this option is not recommended since the tickets are bound
     149to the issuing server only.
    149150
    150151If this option is set in the global configuration, virtual hosts
    151152without a `GnuTLSSessionTickets` setting will use the global setting.
    152153
    153 *Warning:* Currently the master key that protects the tickets is
    154 generated only on server start, and there is no mechanism to roll over
    155 the key. If session tickets are enabled it is highly recommened to
    156 restart the server regularly to protect past sessions in case an
    157 attacker gains access to server memory.
     154*Warning:* With GnuTLS version before 3.6.4 the master key that
     155protects the tickets is generated only on server start, and there is
     156no mechanism to roll over the key. If session tickets are enabled it
     157is highly recommended to restart the server regularly to protect past
     158sessions in case an attacker gains access to server memory. GnuTLS
     1593.6.4 introduced an automatic TOTP-based key rollover, so this warning
     160does not apply any more and tickets are enabled by default.
    158161
    159162### GnuTLSClientVerify
Note: See TracChangeset for help on using the changeset viewer.