From 7006ee24ecfd9d8f405f70d38cc36bdd91f8de87 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 2 Apr 2017 14:54:39 +0100
Subject: Openssl: disable session-tickets by default and session-cache always

---
 doc/doc-txt/ChangeLog | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'doc/doc-txt/ChangeLog')

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3e5d6f7fc..5dfc9b5bb 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -37,6 +37,15 @@ PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers;
 JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger
       than 255 are no longer allowed.
 
+JH/06 Default openssl_options to include +no_ticket, to reduce load on peers.
+      Disable the session-cache too, which might reduce our load.  Since we
+      currrectly use a new context for every connection, both as server and
+      client, there is no benefit for these.
+      GnuTLS appears to not support tickets server-side by default (we don't
+      call gnutls_session_ticket_enable_server()) but client side is enabled
+      by default on recent versions (3.1.3 +) unless the PFS priority string
+      is used (3.2.4 +).
+
 
 Exim version 4.89
 -----------------
-- 
cgit v1.2.3