• Artem Boldariev's avatar
    Add "session-tickets" options to the "tls" clause · c759f25c
    Artem Boldariev authored
    This commit adds the ability to enable or disable stateless TLS
    session resumption tickets (see RFC5077). Having this ability is
    Firstly, these tickets are encrypted by the server, and the algorithm
    might be weaker than the algorithm negotiated during the TLS session
    establishment (it is in general the case for TLSv1.2, but the generic
    principle applies to TLSv1.3 as well, despite it having better ciphers
    for session tickets). Thus, they might compromise Perfect Forward
    Secondly, disabling it might be necessary if the same TLS key/cert
    pair is supposed to be used by multiple servers to achieve, e.g., load
    balancing because the session ticket by default gets generated in
    runtime, while to achieve successful session resumption ability, in
    this case, would have required using a shared key.
    The proper alternative to having the ability to disable stateless TLS
    session resumption tickets is to implement a proper session tickets
    key rollover mechanism so that key rotation might be performed
    often (e.g. once an hour) to not compromise forward secrecy while
    retaining the associated performance benefits. That is much more work,
    though. On the other hand, having the ability to disable session
    tickets allows having a deployable configuration right now in the
    cases when either forward secrecy is wanted or sharing the TLS
    key/cert pair between multiple servers is needed (or both).