Ashlen(euryd...@riseup.net) on 2020.10.20 16:02:49 -0600:
> In relayd.conf(5), the tls section under PROTOCOLS states the following:
> 
> no session tickets
>      Disable TLS session tickets.  relayd(8) supports stateless TLS
>      session tickets (RFC 5077) to implement TLS session resumption.
>      The default is to enable session tickets.
> 
> However, an SSL Labs test[1] without `tls { session tickets }` specified
> shows no session tickets.

There are two things i believe happening:

* i'm not sure we wanted session resumption to be enabled by default because
of the security implications regarding perferct forward secrecy. Indeed the
option is off by default at the moment.

* With TLS 1.3, session resumption is called pre-shared key) resumption.
I have to check what the issue here is, that is if qualys does not show this
right or if relayd has to do something different.

For now, with the following options you should see session resumption:

    tls { session tickets, tlsv1.2, no tlsv1.3 }


I will figure out what to do about the default, the documentation and TLS
1.3.

/Benno
> 
> $ uname -a
> OpenBSD lain.lan 6.8 GENERIC.MP#98 amd64
> 
> [1]: https://www.ssllabs.com/ssltest/
> 
> --
> https://amissing.link
> 

-- 

Reply via email to