ticket_lifetime_hint may exceed 1 week in TLSv1.3

For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446 Fixes #17948 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17952) (cherry picked from commit 0089cc7f9d42f6e39872161199fb8b6a99da2492)
author: Todd Short <todd.short@me.com> 2022-03-23 18:55:10 -0400
committer: Todd Short <todd.short@me.com> 2022-03-25 13:24:05 -0400
commit: 79dbd85fe27ebabc278417af64ab8e3eb43d2d40 (patch)
tree: ebcf14a503316825bfbe12f3a971c00b204e7204 /doc
parent: 04a768fc5968fa463cf9624a67accdef35bce0e4 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod
index c32585e45f..54592654ff 100644
--- a/doc/man3/SSL_CTX_set_timeout.pod
+++ b/doc/man3/SSL_CTX_set_timeout.pod
@@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.
 All currently supported protocols have the same default timeout value
 of 300 seconds.
 
+This timeout value is used as the ticket lifetime hint for stateless session
+tickets. It is also used as the timeout value within the ticket itself.
+
+For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
+seconds).
+
+For TLSv1.2, tickets generated during an initial handshake use the value
+as specified. Tickets generated during a resumed handshake have a value
+of 0 for the ticket lifetime hint.
+
 =head1 RETURN VALUES
 
 SSL_CTX_set_timeout() returns the previously set timeout value.
author	Todd Short <todd.short@me.com>	2022-03-23 18:55:10 -0400
committer	Todd Short <todd.short@me.com>	2022-03-25 13:24:05 -0400
commit	79dbd85fe27ebabc278417af64ab8e3eb43d2d40 (patch)
tree	ebcf14a503316825bfbe12f3a971c00b204e7204 /doc
parent	04a768fc5968fa463cf9624a67accdef35bce0e4 (diff)