mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

DOC: Be a bit more explicit about allow-0rtt security implications.

Browse Source 
Document a bit better than allow-0rtt can trivially be used for replay attacks,
and so should only be used when it's safe to replay a request.

This should probably be backported to 1.8 and 1.9.
This commit is contained in:
Olivier Houchard 2019-01-08 15:35:32 +01:00 committed by Willy Tarreau
parent 51088ce68f
commit 6975296494
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/configuration.txt
View File

@ -10768,7 +10768,10 @@ accept-proxy
allow-0rtt
Allow receiving early data when using TLSv1.3. This is disabled by default,
due to security considerations.
due to security considerations. Because it is vulnerable to replay attacks,
you should only allow if for requests that are safe to replay, ie requests
that are idempotent. You can use the "wait-for-handshake" action for any
request that wouldn't be safe with early data.
alpn <protocols>
This enables the TLS ALPN extension and advertises the specified protocol