From 7f0dd581a3abd029b9d507a078cfc7b5eefc927b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 19 Jun 2018 13:16:13 +0200
Subject: gnutls_session_get_id: document restrictions

This documents the fact that a TLS session ID cannot be relied
to be unique or to even have a meaningful value.

Resolves #484

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/session.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/session.c b/lib/session.c
index 97e076976f..e6b8c98b39 100644
--- a/lib/session.c
+++ b/lib/session.c
@@ -172,6 +172,12 @@ gnutls_session_get_data2(gnutls_session_t session, gnutls_datum_t *data)
  * current session.  In all supported TLS protocols, the session id
  * is less than %GNUTLS_MAX_SESSION_ID_SIZE.
  *
+ * The TLS session ID cannot be relied for uniquely identifying sessions.
+ * It should not be used by new applications, nor be assumed
+ * that it will remain the same on resumption. The session ID changes
+ * even on resumed sessions under session tickets, and has no defined meaning
+ * under TLS 1.3.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
  *   an error code is returned.
  **/
@@ -207,6 +213,12 @@ gnutls_session_get_id(gnutls_session_t session,
  * Returns the current session ID. The returned data should be
  * treated as constant.
  *
+ * The TLS session ID cannot be relied for uniquely identifying sessions.
+ * It should not be used by new applications, nor be assumed
+ * that it will remain the same on resumption. The session ID changes
+ * even on resumed sessions under session tickets, and has no defined meaning
+ * under TLS 1.3.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
  *   an error code is returned.
  *
-- 
cgit v1.2.1