aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2019-09-13 06:28:38 -0400
committerJack Lloyd <[email protected]>2019-09-13 06:28:52 -0400
commit5431337403bc47d050c4010c1a3f31451f6a881b (patch)
treeda48ab4595488f4f30171e42b04d0f983214d40d /doc
parent71a92630ac1e3d995a017610e82a62ad6c54d246 (diff)
Updates to the TLS docs
Diffstat (limited to 'doc')
-rw-r--r--doc/api_ref/tls.rst78
1 files changed, 59 insertions, 19 deletions
diff --git a/doc/api_ref/tls.rst b/doc/api_ref/tls.rst
index 1da40c58f..1980e094b 100644
--- a/doc/api_ref/tls.rst
+++ b/doc/api_ref/tls.rst
@@ -666,6 +666,12 @@ Every time your handshake callback is called, a new session has been
established, and a ``TLS::Session`` is included that provides
information about that session:
+.. note::
+
+ The serialization format of Session is not considered stable and is allowed
+ to change even within a single major release cycle. In the event of such a
+ change, old sessions will no longer be able to be resumed.
+
.. cpp:class:: TLS::Session
.. cpp:function:: Protocol_Version version() const
@@ -705,10 +711,8 @@ information about that session:
Encrypts a session using a symmetric key *key* and returns a raw
binary value that can later be passed to ``decrypt``. The key
- may be of any length.
-
- Currently the implementation encrypts the session using AES-256
- in GCM mode with a random nonce.
+ may be of any length. The format is described in
+ :ref:`tls_session_encryption`.
.. cpp:function:: static Session decrypt(const uint8_t ciphertext[], \
size_t length, \
@@ -988,18 +992,23 @@ policy settings from a file.
Signals that we prefer ECC points to be compressed when transmitted to us.
The other party may not support ECC point compression and therefore may still
send points uncompressed.
-
+
Note that the certificate used during authentication must also follow the other
party's preference.
Default: false
+ .. note::
+
+ Support for EC point compression is deprecated and will be removed in a
+ future major release.
+
.. cpp:function:: bool acceptable_protocol_version(Protocol_Version version)
Return true if this version of the protocol is one that we are
willing to negotiate.
- Default: Accepts TLS v1.0 or higher and DTLS v1.2 or higher.
+ Default: Accepts TLS v1.2 and DTLS v1.2, and rejects all older versions.
.. cpp:function:: bool server_uses_own_ciphersuite_preferences() const
@@ -1007,19 +1016,6 @@ policy settings from a file.
most out of the client's list. Otherwise, it will negotiate the
first cipher in the client's ciphersuite list that it supports.
- .. cpp:function:: bool negotiate_heartbeat_support() const
-
- If this function returns true, clients will offer the heartbeat
- support extension, and servers will respond to clients offering
- the extension. Otherwise, clients will not offer heartbeat
- support and servers will ignore clients offering heartbeat
- support.
-
- If this returns true, callers should expect to handle heartbeat
- data in their ``alert_cb``.
-
- Default: false
-
.. cpp:function:: bool allow_client_initiated_renegotiation() const
If this function returns true, a server will accept a
@@ -1036,6 +1032,16 @@ policy settings from a file.
Default: false
+ .. cpp:function:: bool abort_connection_on_undesired_renegotiation() const
+
+ If a renegotiation attempt is being rejected due to the configuration of
+ :cpp:func:`TLS::Policy::allow_client_initiated_renegotiation` or
+ :cpp:func:`TLS::Policy::allow_server_initiated_renegotiation`, and
+ this function returns true then the connection is closed with a fatal
+ alert instead of the default warning alert.
+
+ Default: false
+
.. cpp:function:: bool allow_insecure_renegotiation() const
If this function returns true, we will allow renegotiation attempts
@@ -1873,3 +1879,37 @@ Stream Code Example
io_context.run();
}
+
+.. _tls_session_encryption:
+
+TLS Session Encryption
+-------------------------
+
+A unified format is used for encrypting TLS sessions either for durable storage
+(on client or server) or when creating TLS session tickets. This format is *not
+stable* even across the same major version.
+
+The current session encryption scheme was introduced in 1.11.13.
+
+Session encryption accepts a key of any length, though for best security a key
+of 256 bits should be used. This master key is used to key an instance of HMAC
+using the SHA-256 hash.
+
+A random 96 bit nonce is created and included in the header. Then the nonce is
+hashed using the keyed HMAC to produce a 256-bit GCM key. This key and nonce
+pair are used to encrypt the session.
+
+The current design is unfortunate in several ways:
+
+ * If the random 96-bit nonce ever repeats, then the same GCM key *and nonce*
+ are used to encrypt 2 different sessions, breaking the security of sessions
+ encrypted using that duplicated key/nonce. The GCM nonce should have been
+ independently created and included in the header, making a key collision
+ harmless.
+
+ * There is no simple way to detect old or rotated keys, except by attempting
+ decryption. Instead a key identifier should be included in the header.
+
+ * There is no indicator of the format used, which makes handling format
+ upgrades without breaking compatability awkward.
+