[openssl-project] OpenSSL 1.1.1 library(OpenSSL 1.1.0 compile) Postfix to Postfix test

Viktor Dukhovni openssl-users at dukhovni.org
Tue Apr 24 14:21:28 UTC 2018



> On Apr 24, 2018, at 9:29 AM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> 
> To be clear, the current draft explicitly says "Servers SHOULD issue
> new tickets with every connection."  This is not a MUST, but is
> perhaps strong enough guidance to merit overriding the existing
> ticket callback semantics.

Fine advice for browsers, but not terribly useful for Postfix.
Multiple processes read and write the session cache in parallel,
and single-use tickets won't work without serialization and
multiple cache slots for the same destination.

The Postfix SMTP server needs to be able to issue tickets only
as-needed on the server.  The TLS 1.2 model works just fine for
SMTP and STEKs are already properly rotated.

I think that the previous behaviour of the callback needs to
continue to apply, if the callback does not return re-issue,
no new ticket should be returned.  The callback has access
to the SSL handle and can determine the protocol version
if it so chooses.

The built-in ticket callback can always re-issue if that's
the preferred default.

-- 
	Viktor.



More information about the openssl-project mailing list