> On Mar 30, 2017, at 4:40 PM, Heiko Schlittermann via Exim-users <exim-users@???> wrote:
>
>> I don't know whether Exim needs to be restarted to change
>> certificates, or picks up new certs automatically as clients
>> connect. I suspect the latter, with the TLS context
>> created and destroyed per connection.
>
> You're right, Exim picks up the cert/keys per connection, as the
> relevant options are expandable at runtime. (But, as far as I know,
> currently not based on the key that is requested (so we do not support
> multiple key setups for the same CN, as far as I know. But I may be
> wrong, as always.)
What this means is that session resumption can't possibly work in
Exim (which is OK, Exim is not obligated to optimize the handshake
overhead of high-volume TLS traffic). Consequently, it would be
best if Exim did not generate SSL session ids or vend TLS session
tickets.
Disabling session generation and suppressing session tickets takes
a few lines of code (for OpenSSL):
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
#endif
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
This will save clients the cost of attempting session resumption,
and will save bandwidth transmitting session tickets, ...
There's likely something similar that can be done to disable
server-side session caches with GnuTLS.
--
Viktor.
