From b10c87b38c2345d15d30da5c18c823355ac506a9 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 2 May 2019 17:16:05 +0100 Subject: TLS: Session resumption, under the EXPERIMENTAL_TLS_RESUME build option. --- doc/doc-docbook/spec.xfpt | 4 ++-- doc/doc-txt/ChangeLog | 2 ++ doc/doc-txt/NewStuff | 3 +++ doc/doc-txt/experimental-spec.txt | 44 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 7a7608bd6..783aeb429 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16169,7 +16169,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" "+no_sslv2 +single_dh_use +no_ticket" +.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket" .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, @@ -28319,7 +28319,7 @@ There is no current way to staple a proof for a client certificate. -.section "Configuring an Exim client to use TLS" "SECID185" +.section "Configuring an Exim client to use TLS" "SECTclientTLS" .cindex "cipher" "logging" .cindex "log" "TLS cipher" .cindex "log" "distinguished name" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index a85841af6..59a025b2a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -89,6 +89,8 @@ JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks This affects log line X= elements, the $tls_{in,out}_cipher variables, and the use of specific cipher names in the encrypted= ACL condition. +JH/17 OpenSSL: the default openssl_options now disables ssl_v3. + Exim version 4.92 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index e776a4f95..352833c4b 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -20,6 +20,9 @@ Version 4.93 5. A case_insensitive option for verify=not_blind. + 6. EXPERIMENTAL_TLS_RESUME optional build feature. See the experimental.spec + file. + Version 4.92 -------------- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 2f1e5c591..a2861c4a9 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -951,6 +951,50 @@ Transport configurations should be checked for this. An example avoidance: +TLS Session Resumption +---------------------- +TLS Session Resumption for TLS 1.2 and TLS1.3 connections can be used (defined +in RFC 5077 for 1.2). The support for this can be included by building with +EXPERIMENTAL_TLS_RESUME defined. + +Session resumption (this is the "stateless" variant) involves the server sending +a "session ticket" to the client on one connection, which can be stored by the +client and used for a later session. The ticket contains sufficient state for +the server to reconstruct the TLS session, avoiding some expensive crypto +calculation and one full packet roundtrip time. + +Operational cost/benefit: + The extra data being transmitted costs a minor amount, and the client has +extra costs in storing and retrieving the data. + +In the Exim/Gnutls implementation the extra cost on an initial connection +which is TLS1.2 over a loopback path is about 6ms on 2017-laptop class hardware. +The saved cost on a subsequent connection is about 4ms; three or more +connections become a net win. On longer network paths, two or more +connections will have an average lower startup time thanks to the one +saved packet roundtrip. TLS1.3 will save the crypto cpu costs but not any +packet roundtrips. + +Security aspects: + The session ticket is encrypted, but is obviously an additional security +vulnarability surface. An attacker able to decrypt it would have access +all connections using the resumed session. +The session ticket encryption key is not committed to storage by the server +and is rotated regularly. Tickets have limited lifetime. + +There is a question-mark over the security of the Diffie-Helman parameters +used for session negotiation. TBD. q-value; cf bug 1895 + +Observability: + New log_selector "tls_resumption", appends an asterisk to the tls_cipher "X=" +element. + +Variables $tls_{in,out}_resumption have bit 0-4 indicating respectively +support built, client requested ticket, client offered session, +server issued ticket, resume used. A suitable decode list is provided +in the builtin macro _RESUME_DECODE for ${listextract {}{}}. + + -------------------------------------------------------------- End of file -------------------------------------------------------------- -- cgit v1.2.3