Openssl: disable session-tickets by default and session-cache always

author: Jeremy Harris <jgh146exb@wizmail.org> 2017-04-02 14:54:39 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2017-04-02 14:54:39 +0100
commit: 7006ee24ecfd9d8f405f70d38cc36bdd91f8de87 (patch)
tree: 94117a19aa3ed9d0d940efa6509728317838749b /doc/doc-txt/ChangeLog
parent: d8ac03161cd960f2ad026e0a11c2614519c4a8be (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3e5d6f7fc..5dfc9b5bb 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -37,6 +37,15 @@ PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers;
 JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger
       than 255 are no longer allowed.
 
+JH/06 Default openssl_options to include +no_ticket, to reduce load on peers.
+      Disable the session-cache too, which might reduce our load.  Since we
+      currrectly use a new context for every connection, both as server and
+      client, there is no benefit for these.
+      GnuTLS appears to not support tickets server-side by default (we don't
+      call gnutls_session_ticket_enable_server()) but client side is enabled
+      by default on recent versions (3.1.3 +) unless the PFS priority string
+      is used (3.2.4 +).
+
 
 Exim version 4.89
 -----------------
author	Jeremy Harris <jgh146exb@wizmail.org>	2017-04-02 14:54:39 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2017-04-02 14:54:39 +0100
commit	7006ee24ecfd9d8f405f70d38cc36bdd91f8de87 (patch)
tree	94117a19aa3ed9d0d940efa6509728317838749b /doc/doc-txt/ChangeLog
parent	d8ac03161cd960f2ad026e0a11c2614519c4a8be (diff)