Improve documentation about SSL ticket encryption

2025-11-04 04:32:24 -05:00 · 2015-06-25 12:44:46 +02:00 · 2015-06-25 12:44:46 +02:00 · dc54ff8578
commit dc54ff8578
parent a25ffc3b0f
1 changed files with 7 additions and 2 deletions
--- a/include/mbedtls/ssl_ticket.h
+++ b/include/mbedtls/ssl_ticket.h
@ -87,14 +87,19 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
 * \param ctx       Context to be set up
 * \param f_rng     RNG callback function
 * \param p_rng     RNG callback context
- * \param cipher    AEAD cipher to use for ticket protection, eg
- *                  MBEDTLS_CIPHER_AES_256_GCM or MBEDTLS_CIPHER_AES_256_CCM.
+ * \param cipher    AEAD cipher to use for ticket protection.
+ *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
 * \param lifetime  Tickets lifetime in seconds
+ *                  Recommended value: 86400 (one day).
 *
 * \note            It is highly recommended to select a cipher that is at
 *                  least as strong as the the strongest ciphersuite
 *                  supported. Usually that means a 256-bit key.
 *
+ * \note            The lifetime of the keys is twice the lifetime of tickets.
+ *                  It is recommended to pick a reasonnable lifetime so as not
+ *                  to negate the benefits of forward secrecy.
+ *
 * \return          0 if successful,
 *                  or a specific MBEDTLS_ERR_XXX error code
 */