Opened 5 years ago

Closed 5 years ago

#1864 closed task (wontfix)

Tune documentation for ssl_session_tickets (supported RFC number)

Reported by: Дилян Палаузов Owned by:
Priority: minor Milestone: nginx-1.17
Component: other Version: 1.17.x
Keywords: Cc:
uname -a:
nginx -V: nginx.org

Description

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets links to RFC 5077. It is obsoleted by RFC 8446.

Either update the link to point to RFC 8446, or state, that RFC 8446 is not supported.

Change History (2)

comment:1 by Sergey Kandaurov, 5 years ago

The directive was originally written for session tickets in TLSv1.2 and below, hence its documentation refers to RFC 4507, later updated to RFC 5077.
Then, session tickets have a different nature in TLSv1.2 (and below) and TLSv1.3.
The way the SSL_OP_NO_TICKET option set by this directive is implemented in OpenSSL doesn't allow to skip sending session tickets in TLSv1.3; instead, it works in a different and rather complicated "stateful" mode which depends on ssl_session_cache. Note though, that it's not so in BoringSSL, where no tickets get sent at all if disabled.
So, this is all a bit complicated and I'd refrain from documenting RFC 8446 support either proposed way.

comment:2 by Sergey Kandaurov, 5 years ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.