mbedtls_ssl_ticket_rotate() function

Rotate session ticket encryption key to new specified key. Provides for external control of session ticket encryption key rotation, e.g. for synchronization between different machines. If this function is not used, or if not called before ticket lifetime expires, then a new session ticket encryption key is generated internally in order to avoid unbounded session ticket encryption key lifetimes.

Syntax

Show:

Summary

Declaration

Definition

from ssl_ticket.h:167

int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx, const unsigned char *name, size_t nlength, const unsigned char *k, size_t klength, uint32_t lifetime);

Implemented in ssl_ticket.c:154

Arguments

Argument

Declared as

Description

ctx

mbedtls_ssl_ticket_context *

Context to be set up

name

const unsigned char *

Session ticket encryption key name

nlength

size_t

Session ticket encryption key name length in bytes

const unsigned char *

Session ticket encryption key

klength

size_t

Session ticket encryption key length in bytes

lifetime

uint32_t

Tickets lifetime in seconds Recommended value: 86400 (one day).

Return value

0 if successful, or a specific MBEDTLS_ERR_XXX error code

Notes

\c name and \c k are recommended to be cryptographically random data. \c nlength must match sizeof( ctx->name ) \c klength must be sufficient for use by cipher specified to \c mbedtls_ssl_ticket_setup It is recommended to pick a reasonable lifetime so as not to negate the benefits of forward secrecy. The TLS 1.3 specification states that ticket lifetime must be smaller than seven days. If ticket lifetime has been set to a value greater than seven days in this module then if the TLS 1.3 is configured to send tickets after the handshake it will fail the connection when trying to send the first ticket.