Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSL…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni
Dátum:  
Címzett: exim users
Tárgy: Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?

> On Mar 30, 2017, at 4:40 PM, Heiko Schlittermann via Exim-users <exim-users@???> wrote:
>
>> I don't know whether Exim needs to be restarted to change
>> certificates, or picks up new certs automatically as clients
>> connect. I suspect the latter, with the TLS context
>> created and destroyed per connection.
>
> You're right, Exim picks up the cert/keys per connection, as the
> relevant options are expandable at runtime. (But, as far as I know,
> currently not based on the key that is requested (so we do not support
> multiple key setups for the same CN, as far as I know. But I may be
> wrong, as always.)


What this means is that session resumption can't possibly work in
Exim (which is OK, Exim is not obligated to optimize the handshake
overhead of high-volume TLS traffic). Consequently, it would be
best if Exim did not generate SSL session ids or vend TLS session
tickets.

Disabling session generation and suppressing session tickets takes
a few lines of code (for OpenSSL):

    #ifdef SSL_OP_NO_TICKET
        SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
    #endif
        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);


This will save clients the cost of attempting session resumption,
and will save bandwidth transmitting session tickets, ...

There's likely something similar that can be done to disable
server-side session caches with GnuTLS.

-- 
    Viktor.