Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSL…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jeremy Harris
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?
On 30/03/17 22:11, Viktor Dukhovni wrote:
> Disabling session generation and suppressing session tickets takes
> a few lines of code (for OpenSSL):
>
>     #ifdef SSL_OP_NO_TICKET
>         SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
>     #endif
>         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);

>
> This will save clients the cost of attempting session resumption,
> and will save bandwidth transmitting session tickets, ...


I've pushed that addition.

> There's likely something similar that can be done to disable
> server-side session caches with GnuTLS.


More problematic.

Server side appears to default to neither ticket nor cache support;
you have to request it and Exim does not.

Client side defaults to ticket-enabled in 3.1.3 + (unless you use
a priority string of "PFS", which only appears in 3.2.4 +).
I've not done anything there.

--
Cheers,
Jeremy