diff options
| author |   claudio <claudio@openbsd.org> | 2016-09-01 10:49:48 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2016-09-01 10:49:48 +0000 |
| commit | 9c9085255d0c0d3ffec78411e89820462c2e45f7 (patch) | |
| tree | d058d4d966f0778302f10e7069be9b253dc07f12 /usr.sbin/relayd/relayd.conf.5 | |
| parent | In 32 bits sqrt(val) + 1 can overflow, so some big primes still (diff) | |
| download | wireguard-openbsd-9c9085255d0c0d3ffec78411e89820462c2e45f7.tar.xz wireguard-openbsd-9c9085255d0c0d3ffec78411e89820462c2e45f7.zip | |
Switch from the not really working session cache (because of the multiprocess
nature of relayd) to tls session tickets to do TLS session resumption.
TLS session tickets do not need to store SSL session data in the server but
instead send an encrypted ticket to the clients that allows to resume the
session. This is mostly stateless (apart from the encryption keys).
relayd now ensures that all relay processes use the same key to encrypt
the tickets. Keys are rotated every 2h and there is a primary and backup key.
The tls session timeout is set to 2h to hint to the clients how long the
session tickets is supposed to be alive.
Input and OK benno@, reyk@
Diffstat (limited to 'usr.sbin/relayd/relayd.conf.5')
| -rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 3f1aa7c3a22..99a02b519cb 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.171 2016/08/18 14:12:51 jmc Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.172 2016/09/01 10:49:48 claudio Exp $ .\" .\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 18 2016 $ +.Dd $Mdocdate: September 1 2016 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -965,14 +965,14 @@ TLS clients. .It Ic no edh Disable EDH support. This is the default. -.It Ic session cache Ar value -Set the maximum size of the TLS session cache. -If the -.Ar value -is zero, the default size defined by the TLS library will be used. -A positive number will set the maximum size in bytes and the keyword -.Ic disable -will disable the TLS session cache. +.It Xo +.Op Ic no +.Ic session tickets +.Xc +Disable TLS session tickets; enabled by default. +.Xr relayd 8 +supports stateless TLS session tickets (RFC 5077) to implement TLS session +resumption. .It Xo .Op Ic no .Ic sslv3 |