From 7b5e1364587beae59a39da5a86ec095fa8bedef8 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de>
Date: Thu, 13 Feb 2020 14:43:44 +0100
Subject: [PATCH] DOC: improve description of no-tls-tickets

It was not obvious, that this setting only affects TLS versions <= 1.2 and it
we should also mention the security implication of session tickets here.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
---
 doc/configuration.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index ab501ead6b..34d5076f65 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11677,6 +11677,10 @@ no-tls-tickets
   extension) and force to use stateful session resumption. Stateless
   session resumption is more expensive in CPU usage. This option is also
   available on global statement "ssl-default-bind-options".
+  The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
+  man-in-the-middle attacks. You should consider to disable them for
+  security reasons. TLS 1.3 implements more secure methods for session
+  resumption.
 
 no-tlsv10
   This setting is only available when support for OpenSSL was built in. It
@@ -12376,6 +12380,10 @@ no-tls-tickets
   extension) and force to use stateful session resumption. Stateless
   session resumption is more expensive in CPU usage for servers. This option
   is also available on global statement "ssl-default-server-options".
+  The TLS ticket mechanism is only used up to TLS 1.2 and it is prone to
+  man-in-the-middle attacks. You should consider to disable them for
+  security reasons. TLS 1.3 implements more secure methods for session
+  resumption.
   See also "tls-tickets".
 
 no-tlsv10
-- 
2.39.5