If you provide the same secret to multiple instances, they will be able to resume
each other's sessions *without* any further communication between them.
- For good security, the secret must have enough entropy to be hard to guess,
- and it should still be occasionally rotated manually (and securely forgotten),
+ This synchronization works only among instances having the same endianess
+ and time_t structure and size (`sizeof(time_t)`).
+
+ **For good security** the secret must have enough entropy to be hard to guess,
+ and it should still be occasionally rotated manually and securely forgotten,
to reduce the scope of privacy leak in case the
`secret leaks eventually <https://en.wikipedia.org/wiki/Forward_secrecy>`_.
- .. warning:: setting the secret is probably too risky with TLS <= 1.2.
- At this moment no gnutls stable release even supports TLS 1.3.
+ .. warning:: **Setting the secret is probably too risky with TLS <= 1.2**.
+ At this moment no GnuTLS stable release even supports TLS 1.3.
Therefore setting the secrets should be considered experimental for now.
.. function:: net.tls_sticket_secret_file([string with path to a file containing pre-shared secret])
assert(!EINVAL);
return kr_error(EINVAL);
}
+ /* documented limitation: time_t and endianess must match
+ * on instances sharing a secret */
if (!force_update && memcmp(ctx->hash_data, &epoch, sizeof(epoch)) == 0) {
return kr_ok(); /* we are up to date */
- /* TODO: support mixing endians? */
}
memcpy(ctx->hash_data, &epoch, sizeof(epoch));
projects / thirdparty / knot-resolver.git / commitdiff
