TLS session tickets versus TLS session cache

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS session tickets versus TLS session cache

J Doe
Hi,

I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:

“As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”

I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.

For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: TLS session tickets versus TLS session cache

Viktor Dukhovni


> On Dec 29, 2017, at 1:54 PM, J Doe <[hidden email]> wrote:
>
> I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:
>
> “As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”
>
> I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.

And rightly so, since session tickets enable session resumption with
stateless *servers*.  The server state is delegated to the client in
the form of a session ticket.  Server caches go away, and client caches
get bigger!

> For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?

Only the server.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS session tickets versus TLS session cache

J Doe

>> On Dec 29, 2017, at 1:54 PM, J Doe <[hidden email]> wrote:
>>
>> I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:
>>
>> “As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”
>>
>> I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.
>
> And rightly so, since session tickets enable session resumption with
> stateless *servers*.  The server state is delegated to the client in
> the form of a session ticket.  Server caches go away, and client caches
> get bigger!
>
>> For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?
>
> Only the server.

Hi Viktor,

Thank you for your prompt reply.  Ok, that makes sense - especially the part about the caches going away and delegating the storage to the client.

- J