On Wed, Jul 06, 2022 at 12:07:51AM -0400, Viktor Dukhovni wrote:
> On Mon, Jul 04, 2022 at 04:32:42PM +0200, Spil Oss wrote:
>
> > Since migrating to OpenSSL 3.0 we are experiencing intermittent issues
> > in TLS handshakes.
> > [...]
> > the client returns a a Fatal alert, unexpected_message.
> >
> > See also
> > * https://github.com/openssl/openssl/issues/18690
>
> Some day the OpenSSL issue will be resolved upstream, but there are many
> systems that may not see the OpenSSL fix for some time, and may get an
> updated Postfix release first. So the simplest work-around is to simply
> disable the internal cache. It is not that useful.
A work-around that the OP and other users can implement now (without any
code changes) is to disable the external cache, to support resumption
only via session tickets (the way god intended):
# Recommended default setting.
smtpd_tls_session_cache_database =
This removes the problem interaction with older sessions materialising
out the external cache. Each new entry added to the internal cache will
be the last slated to expire, and so the internal cache will be in LRU
order.
--
Viktor.
