X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fssl%2FSSL_CTX_set_tlsext_ticket_key_cb.pod;h=da0dd0f597e40de8d636a871bf17ccb1d9802e01;hp=b9371d76977c25d046883d8494b222a1b7152288;hb=a414bc8c3ec50c94db5869bc88a663169086b44b;hpb=98a3c3c514f9966d3bd948dbdf1a6370b597d8d8 diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod index b9371d7697..da0dd0f597 100644 --- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -49,8 +49,10 @@ the callback function will be called with I equal to 1. The OpenSSL library expects that the function will set an arbitary I, initialize I, and set the cipher context I and the hash context I. -The I is only 16 characters long. The I is of length -L defined in B. +The I is 16 characters long and is used as a key identifier. + +The I length is the length of the IV of the corresponding cipher. The +maximum IV length is L bytes defined in B. The initialization vector I should be a random value. The cipher context I should use the initialisation vector I. The cipher context can be @@ -110,6 +112,17 @@ an all other negotiated state information encrypted within the ticket. In a resumed session the applications will have all this state information available exactly as if a full negiotation had occured. +If an attacker can obtain the key used to encrypt a session ticket, they can +obtain the master secret for any ticket using that key and decrypt any traffic +using that session: even if the ciphersuite supports forward secrecy. As +a result applications may wish to use multiple keys and avoid using long term +keys stored in files. + +Applications can use longer keys to maintain a consistent level of security. +For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key +the overall security is only 128 bits because breaking the ticket key will +enable an attacker to obtain the session keys. + =head1 EXAMPLES Reference Implemention: