summaryrefslogtreecommitdiff
path: root/doc/doc-txt
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2019-05-02 17:16:05 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2019-05-02 17:23:05 +0100
commitb10c87b38c2345d15d30da5c18c823355ac506a9 (patch)
treedd521dbada2ce29bfdea4ecdc0995b833d152f2d /doc/doc-txt
parent0565fc5a1155f97f29fb6e081343cfc4e477c611 (diff)
TLS: Session resumption, under the EXPERIMENTAL_TLS_RESUME build option.
Diffstat (limited to 'doc/doc-txt')
-rw-r--r--doc/doc-txt/ChangeLog2
-rw-r--r--doc/doc-txt/NewStuff3
-rw-r--r--doc/doc-txt/experimental-spec.txt44
3 files changed, 49 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a85841af6..59a025b2a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -89,6 +89,8 @@ JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks
This affects log line X= elements, the $tls_{in,out}_cipher variables,
and the use of specific cipher names in the encrypted= ACL condition.
+JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
+
Exim version 4.92
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index e776a4f95..352833c4b 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -20,6 +20,9 @@ Version 4.93
5. A case_insensitive option for verify=not_blind.
+ 6. EXPERIMENTAL_TLS_RESUME optional build feature. See the experimental.spec
+ file.
+
Version 4.92
--------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 2f1e5c591..a2861c4a9 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -951,6 +951,50 @@ Transport configurations should be checked for this. An example avoidance:
+TLS Session Resumption
+----------------------
+TLS Session Resumption for TLS 1.2 and TLS1.3 connections can be used (defined
+in RFC 5077 for 1.2). The support for this can be included by building with
+EXPERIMENTAL_TLS_RESUME defined.
+
+Session resumption (this is the "stateless" variant) involves the server sending
+a "session ticket" to the client on one connection, which can be stored by the
+client and used for a later session. The ticket contains sufficient state for
+the server to reconstruct the TLS session, avoiding some expensive crypto
+calculation and one full packet roundtrip time.
+
+Operational cost/benefit:
+ The extra data being transmitted costs a minor amount, and the client has
+extra costs in storing and retrieving the data.
+
+In the Exim/Gnutls implementation the extra cost on an initial connection
+which is TLS1.2 over a loopback path is about 6ms on 2017-laptop class hardware.
+The saved cost on a subsequent connection is about 4ms; three or more
+connections become a net win. On longer network paths, two or more
+connections will have an average lower startup time thanks to the one
+saved packet roundtrip. TLS1.3 will save the crypto cpu costs but not any
+packet roundtrips.
+
+Security aspects:
+ The session ticket is encrypted, but is obviously an additional security
+vulnarability surface. An attacker able to decrypt it would have access
+all connections using the resumed session.
+The session ticket encryption key is not committed to storage by the server
+and is rotated regularly. Tickets have limited lifetime.
+
+There is a question-mark over the security of the Diffie-Helman parameters
+used for session negotiation. TBD. q-value; cf bug 1895
+
+Observability:
+ New log_selector "tls_resumption", appends an asterisk to the tls_cipher "X="
+element.
+
+Variables $tls_{in,out}_resumption have bit 0-4 indicating respectively
+support built, client requested ticket, client offered session,
+server issued ticket, resume used. A suitable decode list is provided
+in the builtin macro _RESUME_DECODE for ${listextract {}{}}.
+
+
--------------------------------------------------------------
End of file
--------------------------------------------------------------