-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsdist: add sessionTimeout setting for TLS session lifetime #8882
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR! The code looks good and I agree it makes sense to be able to configure the lifetime of tickets. I'm not sure we should change the default value, though, because there are some concerns that tickets can be used to track users. So I'd prefer we keep the default value set by the underlying OpenSSL library, and let the administrator change it if they so desire.
Ok, the default is now left up to OpenSSL, and I changed the setting name as well because the timeout is also used for sessions stored server-side (and that's a good reason to decouple it from ticket key rotation too). And the default value for all TLS protocols is 2 hours: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Documentation would be nice :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Short description
Adds a new
sessionTimeout
setting for TLS session lifetime. It is used both for sessions stored server-side and also to indicate to clients for how long their given TLS ticket is valid for. If unset or set to 0, will use OpenSSL's default (which for TLS protocols is 2 hours).It makes sense to not tell the client to throw the ticket away if the ticket key hasn't yet been rotated.
Checklist
I have: