DOC: improve description of no-tls-tickets
It was not obvious, that this setting only affects TLS versions <= 1.2 and it
we should also mention the security implication of session tickets here.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
(cherry picked from commit 7b5e1364587beae59a39da5a86ec095fa8bedef8)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 9144d171b891ca58b9e84aeedc0bae69082681ac)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2ccda62..a9fb1f0 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11779,6 +11779,10 @@
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage. This option is also
available on global statement "ssl-default-bind-options".
+ The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
+ man-in-the-middle attacks. You should consider to disable them for
+ security reasons. TLS 1.3 implements more secure methods for session
+ resumption.
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
@@ -12478,6 +12482,10 @@
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage for servers. This option
is also available on global statement "ssl-default-server-options".
+ The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
+ man-in-the-middle attacks. You should consider to disable them for
+ security reasons. TLS 1.3 implements more secure methods for session
+ resumption.
See also "tls-tickets".
no-tlsv10