On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off: > Perhaps we can relax the wording a bit here and describe the actual > technical issue along with some recommendations. Apache for example > documents [1]:
I think the wording from the patch is still quite relaxed :). One of the best summaries describing the session ticket flaws, which I recommend is this: https://blog.filippo.io/we-need-to-talk-about-session-tickets/ I would disable session tickets by default in haproxy. Given that most clients support TLS 1.3 already this change would not even slow down many clients. Björn
