DOC: improve description of no-tls-tickets
It was not obvious, that this setting only affects TLS versions <= 1.2 and it we should also mention the security implication of session tickets here. Signed-off-by: Bjoern Jacke <bjacke@samba.org>
This commit is contained in:
Bjrn Jacke
Willy Tarreau
parent
5ab7eb6860
commit
7b5e136458
@ -11677,6 +11677,10 @@ no-tls-tickets
|
||||
extension) and force to use stateful session resumption. Stateless
|
||||
session resumption is more expensive in CPU usage. This option is also
|
||||
available on global statement "ssl-default-bind-options".
|
||||
The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
|
||||
man-in-the-middle attacks. You should consider to disable them for
|
||||
security reasons. TLS 1.3 implements more secure methods for session
|
||||
resumption.
|
||||
|
||||
no-tlsv10
|
||||
This setting is only available when support for OpenSSL was built in. It
|
||||
@ -12376,6 +12380,10 @@ no-tls-tickets
|
||||
extension) and force to use stateful session resumption. Stateless
|
||||
session resumption is more expensive in CPU usage for servers. This option
|
||||
is also available on global statement "ssl-default-server-options".
|
||||
The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
|
||||
man-in-the-middle attacks. You should consider to disable them for
|
||||
security reasons. TLS 1.3 implements more secure methods for session
|
||||
resumption.
|
||||
See also "tls-tickets".
|
||||
|
||||
no-tlsv10
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user