Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSL…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: Exim-users
Betreff: Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?

> On Apr 2, 2017, at 10:01 AM, Jeremy Harris <jgh@???> wrote:
>
> On 30/03/17 22:11, Viktor Dukhovni wrote:
>> Disabling session generation and suppressing session tickets takes
>> a few lines of code (for OpenSSL):
>>
>>    #ifdef SSL_OP_NO_TICKET
>>        SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
>>    #endif
>>        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);

>>
>> This will save clients the cost of attempting session resumption,
>> and will save bandwidth transmitting session tickets, ...
>
> I've pushed that addition.


Great, thanks.

>> There's likely something similar that can be done to disable
>> server-side session caches with GnuTLS.
>
> More problematic.
>
> Server side appears to default to neither ticket nor cache support;
> you have to request it and Exim does not.


So not much to do on the server. That's good too.

> Client side defaults to ticket-enabled in 3.1.3 + (unless you use
> a priority string of "PFS", which only appears in 3.2.4 +).
> I've not done anything there.


This is largely harmless, the client may "cache" a session created
by some remote server in its memory, and then exit shortly after.
I don't think there's a compelling reason to disable client-side
caches. So you're likely done for now.

-- 
    Viktor.