> On Apr 2, 2017, at 10:01 AM, Jeremy Harris <jgh@???> wrote:
>
> On 30/03/17 22:11, Viktor Dukhovni wrote:
>> Disabling session generation and suppressing session tickets takes
>> a few lines of code (for OpenSSL):
>>
>> #ifdef SSL_OP_NO_TICKET
>> SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
>> #endif
>> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
>>
>> This will save clients the cost of attempting session resumption,
>> and will save bandwidth transmitting session tickets, ...
>
> I've pushed that addition.
Great, thanks.
>> There's likely something similar that can be done to disable
>> server-side session caches with GnuTLS.
>
> More problematic.
>
> Server side appears to default to neither ticket nor cache support;
> you have to request it and Exim does not.
So not much to do on the server. That's good too.
> Client side defaults to ticket-enabled in 3.1.3 + (unless you use
> a priority string of "PFS", which only appears in 3.2.4 +).
> I've not done anything there.
This is largely harmless, the client may "cache" a session created
by some remote server in its memory, and then exit shortly after.
I don't think there's a compelling reason to disable client-side
caches. So you're likely done for now.
--
Viktor.