mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

DOC: ssl: clarify security implications of TLS tickets

Browse Source 
Clarifies security implications of TLS ticket usage when not
rotating TLS ticket keys, after commit 7b5e136458 ("DOC:
improve description of no-tls-tickets").
This commit is contained in:
Lukas Tribus 2020-03-10 00:56:09 +01:00 committed by Willy Tarreau
parent 6763016866
commit bdb386d3d9
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/configuration.txt
View File

@ -11677,10 +11677,9 @@ no-tls-tickets
extension) and force to use stateful session resumption. Stateless extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage. This option is also session resumption is more expensive in CPU usage. This option is also
available on global statement "ssl-default-bind-options". available on global statement "ssl-default-bind-options".
The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to The TLS ticket mechanism is only used up to TLS 1.2.
man-in-the-middle attacks. You should consider to disable them for Forward Secrecy is compromised with TLS tickets, unless ticket keys
security reasons. TLS 1.3 implements more secure methods for session are periodically rotated (via reload or by using "tls-ticket-keys").
resumption.
no-tlsv10 no-tlsv10
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
@ -12380,10 +12379,9 @@ no-tls-tickets
extension) and force to use stateful session resumption. Stateless extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage for servers. This option session resumption is more expensive in CPU usage for servers. This option
is also available on global statement "ssl-default-server-options". is also available on global statement "ssl-default-server-options".
The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to The TLS ticket mechanism is only used up to TLS 1.2.
man-in-the-middle attacks. You should consider to disable them for Forward Secrecy is compromised with TLS tickets, unless ticket keys
security reasons. TLS 1.3 implements more secure methods for session are periodically rotated (via reload or by using "tls-ticket-keys").
resumption.
See also "tls-tickets". See also "tls-tickets".
no-tlsv10 no-tlsv10
@ -12813,6 +12811,9 @@ tls-tickets
This option may be used as "server" setting to reset any "no-tls-tickets" This option may be used as "server" setting to reset any "no-tls-tickets"
setting which would have been inherited from "default-server" directive as setting which would have been inherited from "default-server" directive as
default value. default value.
The TLS ticket mechanism is only used up to TLS 1.2.
Forward Secrecy is compromised with TLS tickets, unless ticket keys
are periodically rotated (via reload or by using "tls-ticket-keys").
It may also be used as "default-server" setting to reset any previous It may also be used as "default-server" setting to reset any previous
"default-server" "no-tls-tickets" setting. "default-server" "no-tls-tickets" setting.