extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage. This option is also
available on global statement "ssl-default-bind-options".
- The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
- man-in-the-middle attacks. You should consider to disable them for
- security reasons. TLS 1.3 implements more secure methods for session
- resumption.
+ The TLS ticket mechanism is only used up to TLS 1.2.
+ Forward Secrecy is compromised with TLS tickets, unless ticket keys
+ are periodically rotated (via reload or by using "tls-ticket-keys").
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage for servers. This option
is also available on global statement "ssl-default-server-options".
- The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
- man-in-the-middle attacks. You should consider to disable them for
- security reasons. TLS 1.3 implements more secure methods for session
- resumption.
+ The TLS ticket mechanism is only used up to TLS 1.2.
+ Forward Secrecy is compromised with TLS tickets, unless ticket keys
+ are periodically rotated (via reload or by using "tls-ticket-keys").
See also "tls-tickets".
no-tlsv10
This option may be used as "server" setting to reset any "no-tls-tickets"
setting which would have been inherited from "default-server" directive as
default value.
+ The TLS ticket mechanism is only used up to TLS 1.2.
+ Forward Secrecy is compromised with TLS tickets, unless ticket keys
+ are periodically rotated (via reload or by using "tls-ticket-keys").
It may also be used as "default-server" setting to reset any previous
"default-server" "no-tls-tickets" setting.
projects / thirdparty / haproxy.git / commitdiff
