TLS: Session resumption, under the EXPERIMENTAL_TLS_RESUME build option.

4 files changed, 51 insertions, 2 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7a7608bd6..783aeb429 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16169,7 +16169,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)&
 transport driver.
 
 
-.option openssl_options main "string list" "+no_sslv2 +single_dh_use +no_ticket"
+.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket"
 .cindex "OpenSSL "compatibility options"
 This option allows an administrator to adjust the SSL options applied
 by OpenSSL to connections.  It is given as a space-separated list of items,
@@ -28319,7 +28319,7 @@ There is no current way to staple a proof for a client certificate.
 
 
 
-.section "Configuring an Exim client to use TLS" "SECID185"
+.section "Configuring an Exim client to use TLS" "SECTclientTLS"
 .cindex "cipher" "logging"
 .cindex "log" "TLS cipher"
 .cindex "log" "distinguished name"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a85841af6..59a025b2a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -89,6 +89,8 @@ JH/16 GnuTLS: rework ciphersuite strings under recent library versions.  Thanks
       This affects log line X= elements, the $tls_{in,out}_cipher variables,
       and the use of specific cipher names in the encrypted= ACL condition.
 
+JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
+
 
 Exim version 4.92
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index e776a4f95..352833c4b 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -20,6 +20,9 @@ Version 4.93
 
  5. A case_insensitive option for verify=not_blind.
 
+ 6. EXPERIMENTAL_TLS_RESUME optional build feature.  See the experimental.spec
+    file.
+
 
 Version 4.92
 --------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 2f1e5c591..a2861c4a9 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -951,6 +951,50 @@ Transport configurations should be checked for this.  An example avoidance:
 
 
 
+TLS Session Resumption
+----------------------
+TLS Session Resumption for TLS 1.2 and TLS1.3 connections can be used (defined
+in RFC 5077 for 1.2).  The support for this can be included by building with
+EXPERIMENTAL_TLS_RESUME defined.
+
+Session resumption (this is the "stateless" variant) involves the server sending
+a "session ticket" to the client on one connection, which can be stored by the
+client and used for a later session.  The ticket contains sufficient state for
+the server to reconstruct the TLS session, avoiding some expensive crypto
+calculation and one full packet roundtrip time.
+
+Operational cost/benefit:
+ The extra data being transmitted costs a minor amount, and the client has
+extra costs in storing and retrieving the data.
+
+In the Exim/Gnutls implementation the extra cost on an initial connection
+which is TLS1.2 over a loopback path is about 6ms on 2017-laptop class hardware.
+The saved cost on a subsequent connection is about 4ms; three or more
+connections become a net win.  On longer network paths, two or more
+connections will have an average lower startup time thanks to the one
+saved packet roundtrip.  TLS1.3 will save the crypto cpu costs but not any
+packet roundtrips.
+
+Security aspects:
+ The session ticket is encrypted, but is obviously an additional security
+vulnarability surface.  An attacker able to decrypt it would have access
+all connections using the resumed session.
+The session ticket encryption key is not committed to storage by the server
+and is rotated regularly.  Tickets have limited lifetime.
+
+There is a question-mark over the security of the Diffie-Helman parameters
+used for session negotiation. TBD.  q-value; cf bug 1895
+
+Observability:
+ New log_selector "tls_resumption", appends an asterisk to the tls_cipher "X="
+element.
+
+Variables $tls_{in,out}_resumption have bit 0-4 indicating respectively
+support built, client requested ticket, client offered session,
+server issued ticket, resume used.  A suitable decode list is provided
+in the builtin macro _RESUME_DECODE for ${listextract {}{}}.
+
+
 --------------------------------------------------------------
 End of file
 --------------------------------------------------------------