Author: Phil Pennock Date: To: exim-dev Subject: Re: [exim-dev] [Bug 2104] TLS wrong version number on connection
reuse
On 2017-04-23 at 00:55 -0400, Viktor Dukhovni wrote: > I find that rather perplexing. Over a single TCP connection it is not valid
> to issue a second STARTTLS. I am misreading the above?
If you tear down TLS, the standards are silent about what happens next.
Exim's current model, which Jeremy is working on changing, has all TLS
state in the process which delivers one message. Delivering multiple
messages in one connection requires passing an open file descriptor to
another Unix process, but TLS libraries generally don't make their
internal state serializable for passing around in such a manner, so Exim
has no choice but to tear down TLS and see if the remote server is happy
to have TLS re-established again. For some remote MTAs it works, for
others it doesn't.
Jeremy is doing the hard work of trying to change this, partially based
on a crazy idea of mine; this is not yet released, it's part of Exim
4.90 (I think J slightly mis-spoke in his phrasing around 4.89). In the
new model, the TLS client is capable of being a process proxy for other
delivery processes, via a Unix socket, so TLS never needs to be torn
down. Performance should be significantly better, despite the extra
copies and extra process locally.
There's some bug-fixing and cleanup required though, around things as
basic as "what gets logged", since this isn't how Exim was designed.
