diff options
author | Todd Short <todd.short@me.com> | 2022-03-23 18:55:10 -0400 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2022-03-25 13:24:05 -0400 |
commit | 79dbd85fe27ebabc278417af64ab8e3eb43d2d40 (patch) | |
tree | ebcf14a503316825bfbe12f3a971c00b204e7204 /doc | |
parent | 04a768fc5968fa463cf9624a67accdef35bce0e4 (diff) |
ticket_lifetime_hint may exceed 1 week in TLSv1.3
For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446
Fixes #17948
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17952)
(cherry picked from commit 0089cc7f9d42f6e39872161199fb8b6a99da2492)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_CTX_set_timeout.pod | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod index c32585e45f..54592654ff 100644 --- a/doc/man3/SSL_CTX_set_timeout.pod +++ b/doc/man3/SSL_CTX_set_timeout.pod @@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>. All currently supported protocols have the same default timeout value of 300 seconds. +This timeout value is used as the ticket lifetime hint for stateless session +tickets. It is also used as the timeout value within the ticket itself. + +For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800 +seconds). + +For TLSv1.2, tickets generated during an initial handshake use the value +as specified. Tickets generated during a resumed handshake have a value +of 0 for the ticket lifetime hint. + =head1 RETURN VALUES SSL_CTX_set_timeout() returns the previously set timeout value. |