tls13: srv: Fail connection if ticket lifetime exceed 7 days

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com> Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-08-08 17:42:09 +03:00 · 2023-11-22 15:01:18 +08:00
parent 97dfc726f3
commit ce79488dd5
3 changed files with 61 additions and 10 deletions
--- a/include/mbedtls/ssl_ticket.h
+++ b/include/mbedtls/ssl_ticket.h
@@ -111,6 +111,13 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
 * \note            It is recommended to pick a reasonable lifetime so as not
 *                  to negate the benefits of forward secrecy.
 *
+ * \note            The TLS 1.3 specification states that ticket lifetime must
+ *                  be smaller than seven days. If ticket lifetime has been
+ *                  set to a value greater than seven days in this module then
+ *                  if the TLS 1.3 is configured to send tickets after the
+ *                  handshake it will fail the connection when trying to send
+ *                  the first ticket.
+ *
 * \return          0 if successful,
 *                  or a specific MBEDTLS_ERR_XXX error code
 */
@@ -147,6 +154,13 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
 * \note            It is recommended to pick a reasonable lifetime so as not
 *                  to negate the benefits of forward secrecy.
 *
+ * \note            The TLS 1.3 specification states that ticket lifetime must
+ *                  be smaller than seven days. If ticket lifetime has been
+ *                  set to a value greater than seven days in this module then
+ *                  if the TLS 1.3 is configured to send tickets after the
+ *                  handshake it will fail the connection when trying to send
+ *                  the first ticket.
+ *
 * \return          0 if successful,
 *                  or a specific MBEDTLS_ERR_XXX error code
 */