diff options
author | Todd Short <todd.short@me.com> | 2022-03-23 18:55:10 -0400 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2022-03-25 12:46:15 -0400 |
commit | 0089cc7f9d42f6e39872161199fb8b6a99da2492 (patch) | |
tree | 7bb4e2d785cf687ca07ed65796750543549e7268 /doc | |
parent | 37816ef5757e458be9648481e56bf698ee3bfbb1 (diff) |
ticket_lifetime_hint may exceed 1 week in TLSv1.3
For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446
Fixes #17948
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17952)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_CTX_set_timeout.pod | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod index 29ef1b8ce7..de5a8b008d 100644 --- a/doc/man3/SSL_CTX_set_timeout.pod +++ b/doc/man3/SSL_CTX_set_timeout.pod @@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>. All currently supported protocols have the same default timeout value of 300 seconds. +This timeout value is used as the ticket lifetime hint for stateless session +tickets. It is also used as the timeout value within the ticket itself. + +For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800 +seconds). + +For TLSv1.2, tickets generated during an initial handshake use the value +as specified. Tickets generated during a resumed handshake have a value +of 0 for the ticket lifetime hint. + =head1 RETURN VALUES SSL_CTX_set_timeout() returns the previously set timeout value. |