ticket_lifetime_hint may exceed 1 week in TLSv1.3

For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446 Fixes #17948 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17952)
author: Todd Short <todd.short@me.com> 2022-03-23 18:55:10 -0400
committer: Todd Short <todd.short@me.com> 2022-03-25 12:46:15 -0400
commit: 0089cc7f9d42f6e39872161199fb8b6a99da2492 (patch)
tree: 7bb4e2d785cf687ca07ed65796750543549e7268 /doc
parent: 37816ef5757e458be9648481e56bf698ee3bfbb1 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod
index 29ef1b8ce7..de5a8b008d 100644
--- a/doc/man3/SSL_CTX_set_timeout.pod
+++ b/doc/man3/SSL_CTX_set_timeout.pod
@@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.
 All currently supported protocols have the same default timeout value
 of 300 seconds.
 
+This timeout value is used as the ticket lifetime hint for stateless session
+tickets. It is also used as the timeout value within the ticket itself.
+
+For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
+seconds).
+
+For TLSv1.2, tickets generated during an initial handshake use the value
+as specified. Tickets generated during a resumed handshake have a value
+of 0 for the ticket lifetime hint.
+
 =head1 RETURN VALUES
 
 SSL_CTX_set_timeout() returns the previously set timeout value.
author	Todd Short <todd.short@me.com>	2022-03-23 18:55:10 -0400
committer	Todd Short <todd.short@me.com>	2022-03-25 12:46:15 -0400
commit	0089cc7f9d42f6e39872161199fb8b6a99da2492 (patch)
tree	7bb4e2d785cf687ca07ed65796750543549e7268 /doc
parent	37816ef5757e458be9648481e56bf698ee3bfbb1 (diff)