> On Apr 28, 2018, at 8:42 PM, Benjamin Kaduk wrote:
>
> [ ... nothing I don't agree with ... ]
We're on the same page here. OpenSSL the built-in defualt
callback can re-issue by default, so long as custom callbacks
can choose to not re-issue (their return code is honoured).
My other observa
On Tue, Apr 24, 2018 at 10:21:28AM -0400, Viktor Dukhovni wrote:
>
>
> > On Apr 24, 2018, at 9:29 AM, Benjamin Kaduk wrote:
> >
> > To be clear, the current draft explicitly says "Servers SHOULD issue
> > new tickets with every connection." This is not a MUST, but is
> > perhaps strong enough
> On Apr 24, 2018, at 9:29 AM, Benjamin Kaduk wrote:
>
> To be clear, the current draft explicitly says "Servers SHOULD issue
> new tickets with every connection." This is not a MUST, but is
> perhaps strong enough guidance to merit overriding the existing
> ticket callback semantics.
Fine ad
On Mon, Apr 23, 2018 at 09:34:18PM -0400, Viktor Dukhovni wrote:
>
>
> > On Apr 22, 2018, at 9:49 PM, Viktor Dukhovni
> > wrote:
> >
> > - Client-side diagnostics -
>
> On the server side I see that even when the ticket callback returns "0" to
> accept and not re-issue the ticket, a
> On Apr 22, 2018, at 9:49 PM, Viktor Dukhovni
> wrote:
>
> - Client-side diagnostics -
On the server side I see that even when the ticket callback returns "0" to
accept and not re-issue the ticket, a new ticket is requested anyway. I'd like
to be able to control this, and not issu
> On Apr 23, 2018, at 3:35 AM, Matt Caswell wrote:
>
>> * With TLS 1.3 a new session is generated even sessions are
>>resumed, because the server responds with a new ticket
>>in the event of session resumption. With TLS 1.2 sessions
>>that had sufficient remaining lifetime did not
In message on Sun, 22 Apr
2018 21:49:42 -0400, Viktor Dukhovni said:
openssl-users> * Postfix logs a warning when the compile-time and runtime
openssl-users> libraries are not exactly the same (once per process start),
openssl-users> this is expected. Perhaps we should provide a mean
On 23/04/18 02:49, Viktor Dukhovni wrote:
>
> I tested a Postfix server and client built against OpenSSL 1.1.0,
> using 1.1.1 run-time libraries. This exercised peer certificate
> fingerprint matching and session resumption. No major issues.
>
> The only interesting observations are:
>
> *