Sebastian Benoit(benoit-li...@fb12.de) on 2020.10.21 21:26:00 +0200: > Ashlen(euryd...@riseup.net) on 2020.10.20 16:02:49 -0600: > > In relayd.conf(5), the tls section under PROTOCOLS states the following: > > > > no session tickets > > Disable TLS session tickets. relayd(8) supports stateless TLS > > session tickets (RFC 5077) to implement TLS session resumption. > > The default is to enable session tickets. > > > > However, an SSL Labs test[1] without `tls { session tickets }` specified > > shows no session tickets. > > There are two things i believe happening: > > * i'm not sure we wanted session resumption to be enabled by default because > of the security implications regarding perferct forward secrecy. Indeed the > option is off by default at the moment.
It's disabled by default on purpose. Manpage is updated. > > * With TLS 1.3, session resumption is called pre-shared key) resumption. > I have to check what the issue here is, that is if qualys does not show this > right or if relayd has to do something different. Indeed, our TLS 1.3 does not yet support session resumption.: > For now, with the following options you should see session resumption: > > tls { session tickets, tlsv1.2, no tlsv1.3 } Of course if you just do tls { session tickets } clients that support 1.3 wont get it, but ones that do not support 1.3 will. Best, Benno