пн, 9 мар. 2020 г. в 23:21, Björn Jacke <[email protected]>: > On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off: > > Perhaps we can relax the wording a bit here and describe the actual > > technical issue along with some recommendations. Apache for example > > documents [1]: > > I think the wording from the patch is still quite relaxed :). One of the > best > summaries describing the session ticket flaws, which I recommend is this: > https://blog.filippo.io/we-need-to-talk-about-session-tickets/ > > I would disable session tickets by default in haproxy. Given that most > clients support TLS 1.3 already this change would not even slow down many > clients. >
TLS tickets really require more love :) actually, there are two bad choices here 1) to specify TLS ticket key 2) not to specify if you specify, your security team will tell you that "it is not secure". if you do not specify, keys are generated on startup and it lead to huge CPU spike on app reload (if you apply new config, app is reloaded and keys are generated from scratch) > > Björn > >
