RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-05 03:29:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

DOC: ssl: clarify security implications of TLS tickets

Browse Source 
Clarifies security implications of TLS ticket usage when not
rotating TLS ticket keys, after commit 7b5e136458 ("DOC:
improve description of no-tls-tickets").
This commit is contained in:
Lukas Tribus 2020-03-10 00:56:09 +01:00 committed by Willy Tarreau
parent 6763016866
commit bdb386d3d9
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/configuration.txt
View File

@ -11677,10 +11677,9 @@ no-tls-tickets
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage. This option is also
available on global statement "ssl-default-bind-options".
The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
man-in-the-middle attacks. You should consider to disable them for
security reasons. TLS 1.3 implements more secure methods for session
resumption.
The TLS ticket mechanism is only used up to TLS 1.2.
Forward Secrecy is compromised with TLS tickets, unless ticket keys
are periodically rotated (via reload or by using "tls-ticket-keys").
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
@ -12380,10 +12379,9 @@ no-tls-tickets
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage for servers. This option
is also available on global statement "ssl-default-server-options".
The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
man-in-the-middle attacks. You should consider to disable them for
security reasons. TLS 1.3 implements more secure methods for session
resumption.
The TLS ticket mechanism is only used up to TLS 1.2.
Forward Secrecy is compromised with TLS tickets, unless ticket keys
are periodically rotated (via reload or by using "tls-ticket-keys").
See also "tls-tickets".
no-tlsv10
@ -12813,6 +12811,9 @@ tls-tickets
This option may be used as "server" setting to reset any "no-tls-tickets"
setting which would have been inherited from "default-server" directive as
default value.
The TLS ticket mechanism is only used up to TLS 1.2.
Forward Secrecy is compromised with TLS tickets, unless ticket keys
are periodically rotated (via reload or by using "tls-ticket-keys").
It may also be used as "default-server" setting to reset any previous
"default-server" "no-tls-tickets" setting.