On 30/03/17 22:11, Viktor Dukhovni wrote:
> Disabling session generation and suppressing session tickets takes
> a few lines of code (for OpenSSL):
>
> #ifdef SSL_OP_NO_TICKET
> SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
> #endif
> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
>
> This will save clients the cost of attempting session resumption,
> and will save bandwidth transmitting session tickets, ...
I've pushed that addition.
> There's likely something similar that can be done to disable
> server-side session caches with GnuTLS.
More problematic.
Server side appears to default to neither ticket nor cache support;
you have to request it and Exim does not.
Client side defaults to ticket-enabled in 3.1.3 + (unless you use
a priority string of "PFS", which only appears in 3.2.4 +).
I've not done anything there.
--
Cheers,
Jeremy
