Changeset fdd3bf0 in mod_gnutls for doc/mod_gnutls_manual.mdwn
- Timestamp:
- Sep 30, 2018, 1:36:26 PM (2 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- bac1a32
- Parents:
- bd2b48b
- git-author:
- Fiona Klute <fiona.klute@…> (09/30/18 13:26:54)
- git-committer:
- Fiona Klute <fiona.klute@…> (09/30/18 13:36:26)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.mdwn
rbd2b48b rfdd3bf0 139 139 GnuTLSSessionTickets [on|off] 140 140 141 Default: `off`\ 142 Context: server config, virtual host 143 144 To avoid storing data for TLS session resumption the server can 145 provide clients with tickets, to use on return. Tickets are an 146 alternative to using a session cache, mostly used for busy servers 147 with limited storage. For a pool of servers this option is not 148 recommended since the tickets are bound to the issuing server only. 141 Default: `on` with GnuTLS 3.6.4 and newer, `off` otherwise\ 142 Context: server config, virtual host 143 144 Session tickets allow TLS session resumption without session state 145 stored on the server, using encrypted tickets provided to the clients 146 instead. Tickets are an alternative to using a session cache, and 147 currently the only session resumption mechanism in TLS 1.3. For a pool 148 of servers this option is not recommended since the tickets are bound 149 to the issuing server only. 149 150 150 151 If this option is set in the global configuration, virtual hosts 151 152 without a `GnuTLSSessionTickets` setting will use the global setting. 152 153 153 *Warning:* Currently the master key that protects the tickets is 154 generated only on server start, and there is no mechanism to roll over 155 the key. If session tickets are enabled it is highly recommened to 156 restart the server regularly to protect past sessions in case an 157 attacker gains access to server memory. 154 *Warning:* With GnuTLS version before 3.6.4 the master key that 155 protects the tickets is generated only on server start, and there is 156 no mechanism to roll over the key. If session tickets are enabled it 157 is highly recommended to restart the server regularly to protect past 158 sessions in case an attacker gains access to server memory. GnuTLS 159 3.6.4 introduced an automatic TOTP-based key rollover, so this warning 160 does not apply any more and tickets are enabled by default. 158 161 159 162 ### GnuTLSClientVerify
Note: See TracChangeset
for help on using the changeset viewer.