daemon/tls: document limitations of the session key synchronization

daemon/README.rst

@@ -505,13 +505,16 @@ TLS server configuration
 
    If you provide the same secret to multiple instances, they will be able to resume
    each other's sessions *without* any further communication between them.
-   For good security, the secret must have enough entropy to be hard to guess,
-   and it should still be occasionally rotated manually (and securely forgotten),
+   This synchronization works only among instances having the same endianess
+   and time_t structure and size (`sizeof(time_t)`).
+
+   **For good security** the secret must have enough entropy to be hard to guess,
+   and it should still be occasionally rotated manually and securely forgotten,
    to reduce the scope of privacy leak in case the
    `secret leaks eventually <https://en.wikipedia.org/wiki/Forward_secrecy>`_.
 
-   .. warning:: setting the secret is probably too risky with TLS <= 1.2.
-      At this moment no gnutls stable release even supports TLS 1.3.
+   .. warning:: **Setting the secret is probably too risky with TLS <= 1.2**.
+      At this moment no GnuTLS stable release even supports TLS 1.3.
       Therefore setting the secrets should be considered experimental for now.
 
 .. function:: net.tls_sticket_secret_file([string with path to a file containing pre-shared secret])

daemon/tls_session_ticket-srv.c

@@ -143,9 +143,10 @@ static int tst_key_update(tst_ctx_t *ctx, time_t epoch, bool force_update)
 		assert(!EINVAL);
 		return kr_error(EINVAL);
 	}
+	/* documented limitation: time_t and endianess must match
+	 * on instances sharing a secret */
 	if (!force_update && memcmp(ctx->hash_data, &epoch, sizeof(epoch)) == 0) {
 		return kr_ok(); /* we are up to date */
-		/* TODO: support mixing endians? */
 	}
 	memcpy(ctx->hash_data, &epoch, sizeof(epoch));