[openssl-project] OpenSSL 1.1.1 library(OpenSSL 1.1.0 compile) Postfix to Postfix test
openssl-users at dukhovni.org
Tue Apr 24 14:21:28 UTC 2018
> On Apr 24, 2018, at 9:29 AM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> To be clear, the current draft explicitly says "Servers SHOULD issue
> new tickets with every connection." This is not a MUST, but is
> perhaps strong enough guidance to merit overriding the existing
> ticket callback semantics.
Fine advice for browsers, but not terribly useful for Postfix.
Multiple processes read and write the session cache in parallel,
and single-use tickets won't work without serialization and
multiple cache slots for the same destination.
The Postfix SMTP server needs to be able to issue tickets only
as-needed on the server. The TLS 1.2 model works just fine for
SMTP and STEKs are already properly rotated.
I think that the previous behaviour of the callback needs to
continue to apply, if the callback does not return re-issue,
no new ticket should be returned. The callback has access
to the SSL handle and can determine the protocol version
if it so chooses.
The built-in ticket callback can always re-issue if that's
the preferred default.
More information about the openssl-project