> On Apr 24, 2018, at 9:29 AM, Benjamin Kaduk <ka...@mit.edu> wrote:
>
> To be clear, the current draft explicitly says "Servers SHOULD issue
> new tickets with every connection." This is not a MUST, but is
> perhaps strong enough guidance to merit overriding the existing
> ticket callback semantics.
Fine advice for browsers, but not terribly useful for Postfix.
Multiple processes read and write the session cache in parallel,
and single-use tickets won't work without serialization and
multiple cache slots for the same destination.
The Postfix SMTP server needs to be able to issue tickets only
as-needed on the server. The TLS 1.2 model works just fine for
SMTP and STEKs are already properly rotated.
I think that the previous behaviour of the callback needs to
continue to apply, if the callback does not return re-issue,
no new ticket should be returned. The callback has access
to the SSL handle and can determine the protocol version
if it so chooses.
The built-in ticket callback can always re-issue if that's
the preferred default.
--
Viktor.
_______________________________________________
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project
