summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2019-05-06 13:34:18 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2019-05-07 22:45:51 +0100
commitdea4b5684c694c41105215bdb25f8e91b7c35c5d (patch)
tree019d1c6b5a12995978c183124820b07adc83c604 /src
parent4f1d23a1aa7aafc5a47988d80dde87c67ec8e1fc (diff)
TLS: increase resumption ticket lifetime to 2 hours
Diffstat (limited to 'src')
-rw-r--r--src/src/tls-gnu.c6
-rw-r--r--src/src/tls-openssl.c8
2 files changed, 11 insertions, 3 deletions
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 085f6b840..df07c536c 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -215,7 +215,7 @@ don't want to repeat this. */
static gnutls_dh_params_t dh_server_params = NULL;
-static int ssl_session_timeout = 3600; /* One hour */
+static int ssl_session_timeout = 7200; /* Two hours */
static const uschar * const exim_default_gnutls_priority = US"NORMAL";
@@ -2457,7 +2457,9 @@ if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
tlsp->resumption |= RESUME_CLIENT_REQUESTED;
if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
{
- /* key for the db is the IP */
+ /* Key for the db is the IP. We'd like to filter the retrieved session
+ for ticket advisory expiry, but 3.6.1 seems to give no access to that */
+
if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
if (!(rc = gnutls_session_set_data(session,
CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index df884355e..3092dce2e 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -315,7 +315,7 @@ static SSL_CTX *server_sni = NULL;
static char ssl_errstring[256];
-static int ssl_session_timeout = 3600;
+static int ssl_session_timeout = 7200; /* Two hours */
static BOOL client_verify_optional = FALSE;
static BOOL server_verify_optional = FALSE;
@@ -943,6 +943,12 @@ else
EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now);
+
+ /* The ticket lifetime and renewal are the same as the STEK lifetime and
+ renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
+ be better. To do that we'd have to encode ticket lifetime in the name as
+ we don't yet see the restored session. Could check posthandshake for TLS1.3
+ and trigger a new ticket then, but cannot do that for TLS1.2 */
return key->renew < now ? 2 : 1;
}
}