Limit the lifetime of tickets to Policy::session_ticket_lifetime()

seconds and report that value to the client in the NewSessionTicket
message. After that point, a session ticket is ignored and a full
renegotiation is forced.

Only send a new session ticket on a new session, or on a resumed
session where the client indicated it supports session tickets but for
whatever reason didn't send one in the hello. Perhaps in this case, we
should also remove the session from the session manager?

Clean up server selection of the ciphersuite a bit, all in an anon
function in tls_server instead of scattered over Server, Policy, and
Server_Hello.

Add Session::session_age and Session_Manager::session_lifetime

1 files changed, 2 insertions, 2 deletions

diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp
index ba9ec8082..2ec7eec2e 100644
--- a/src/tls/tls_client.cpp
+++ b/src/tls/tls_client.cpp
@@ -241,8 +241,8 @@ void Client::process_handshake_msg(Handshake_Type type,
                ever sent. The server may or may not send a server kex,
                depending on if it has an identity hint for us.
 
-               DHE_PSK always sends a server key exchange for the DH
-               exchange portion.
+               (EC)DHE_PSK always sends a server key exchange for the
+               DH exchange portion.
             */
 
             state->set_expected_next(SERVER_KEX);