On 2017-04-23 at 00:55 -0400, Viktor Dukhovni wrote: > I find that rather perplexing. Over a single TCP connection it is not valid > to issue a second STARTTLS. I am misreading the above?
If you tear down TLS, the standards are silent about what happens next. Exim's current model, which Jeremy is working on changing, has all TLS state in the process which delivers one message. Delivering multiple messages in one connection requires passing an open file descriptor to another Unix process, but TLS libraries generally don't make their internal state serializable for passing around in such a manner, so Exim has no choice but to tear down TLS and see if the remote server is happy to have TLS re-established again. For some remote MTAs it works, for others it doesn't. Jeremy is doing the hard work of trying to change this, partially based on a crazy idea of mine; this is not yet released, it's part of Exim 4.90 (I think J slightly mis-spoke in his phrasing around 4.89). In the new model, the TLS client is capable of being a process proxy for other delivery processes, via a Unix socket, so TLS never needs to be torn down. Performance should be significantly better, despite the extra copies and extra process locally. There's some bug-fixing and cleanup required though, around things as basic as "what gets logged", since this isn't how Exim was designed. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
