Sebastian Benoit(benoit-li...@fb12.de) on 2020.10.21 21:26:00 +0200:
> Ashlen(euryd...@riseup.net) on 2020.10.20 16:02:49 -0600:
> > In relayd.conf(5), the tls section under PROTOCOLS states the following:
> >
> > no session tickets
> > Disable TLS session tickets. relayd(8) supports stateless TLS
> > session tickets (RFC 5077) to implement TLS session resumption.
> > The default is to enable session tickets.
> >
> > However, an SSL Labs test[1] without `tls { session tickets }` specified
> > shows no session tickets.
>
> There are two things i believe happening:
>
> * i'm not sure we wanted session resumption to be enabled by default because
> of the security implications regarding perferct forward secrecy. Indeed the
> option is off by default at the moment.
It's disabled by default on purpose.
Manpage is updated.
>
> * With TLS 1.3, session resumption is called pre-shared key) resumption.
> I have to check what the issue here is, that is if qualys does not show this
> right or if relayd has to do something different.
Indeed, our TLS 1.3 does not yet support session resumption.:
> For now, with the following options you should see session resumption:
>
> tls { session tickets, tlsv1.2, no tlsv1.3 }
Of course if you just do
tls { session tickets }
clients that support 1.3 wont get it, but ones that do not support 1.3 will.
Best,
Benno
