Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSL…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: Exim-users
Subject: Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?

> On Mar 30, 2017, at 9:51 PM, Phil Pennock <pdp@???> wrote:
>
>> What this means is that session resumption can't possibly work in
>> Exim (which is OK, Exim is not obligated to optimize the handshake
>> overhead of high-volume TLS traffic). Consequently, it would be
>> best if Exim did not generate SSL session ids or vend TLS session
>> tickets.
>
> Sounds right; we should consider adding this to the default value of
> openssl_options, which theoretically exposes _every_ `SSL_OP_` to
> administrator control.


Yes, for NO_TICKET, but for completeness you also need to change
the cache mode (to completely disable the cache), which cannot be
done via the option flags.

-- 
    Viktor.