On 06.12.2015 13:10, Timo Sirainen wrote:
On 05 Dec 2015, at 11:32, Gerhard Wiesinger <li...@wiesinger.com> wrote:
Is it possible to configure the secure session caching mechanism?
e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx
I remember hearing about various security vulnerabilities in that earlier.. I
guess they're fixed now then, unless people find more ways to exploit it.
Anyway I'm not sure how useful it would actually even be for most IMAP/POP3
servers, because most clients don't connect all that often. Or I guess it might
help some clients that create multiple connections immediately.
Then again, we are planning on adding some HTTP(S)-based services to Dovecot
and there it would likely be more useful. So I guess it gets implemented at
some point.
Session tickets are broken by DESIGN as they violate PFS (Perfect
Forward Secrecy). If you can steal one AES key (all session tickets are
encrypted for server lifetime with only one key) you can decrypt ALL
sessions ever made with session tickets for the future. This violates
PFS (Perfect Forward Secrecy) as only server side "parameters" are
relevant from now on.
Yes, session caching should reduce server load on multiple connections.
See e.g. https://community.qualys.com/thread/15768
Therefore it would be great if you could implement the secure session
caching mechanism.
As Gedalya mentioned OCSP would be great, too.
Ciao,
Gerhard
