Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

Fri, 07 Jan 2022 09:09:09 -0800 

The other ??? item,

     "Session Resumption           Tickets: yes, ID resumption test failed, pls 
report"

I've not found any guidance on at all, yet.

For postfix, do I care?
And if so, what/where is a fix?


did find this comment at SF,

        "Certbot — Post-Handshake New Session Ticket arrived"
         
https://serverfault.com/questions/1034382/certbot-post-handshake-new-session-ticket-arrived#comment1349580_1034382

                "You are using a server that supports TLS 1.3, and testing with 
OpenSSL 1.1.1 which also does so. The secure-renegotiation extension (RFC5756) is no 
longer used or needed in 1.3 because it no longer does any renegotiation, or even 
resumption with prior secret. Yes there may be multiple 'tickets' in 1.3; the protocol is 
changed so that they aren't really tickets, just saved PSKs. This is all explained in the 
1.3 spec, RFC8446"

led eventually to this @ openssl ML, which is related (?)

        "[openssl-project] OpenSSL 1.1.1 library(OpenSSL 1.1.0 compile) Postfix to 
Postfix test"
         
https://mta.openssl.org/pipermail/openssl-project/2018-April/000671.html

                "The only interesting observations are:

                * With TLS 1.3 a new session is generated even sessions are
                        resumed, because the server responds with a new ticket
                        in the event of session resumption.  With TLS 1.2 
sessions
                        that had sufficient remaining lifetime did not trigger 
new
                        ticket generation on the server, and no new session was
                        stored on the client.  This causes needless 
wear-and-tear
                        on the external session cache in Postfix, since each
                        connection writes out a new session, replacing the one
                        it just used.  Some might consider this a security 
feature,
                        but it is not especially desirable with SMTP.  Any 
thoughts
                        about whether this could be tunable?  It would have to 
be
                        server-side tuning I think, since the client does not 
know
                        why the server issued a new session, perhaps the old one
                        was not (or will soon not) be valid for re-use."

and downthread comes to some agreement, but I've missed what server-side 
tunable knob in postfix to use, or if needed.

unclear if this is a red-herring, and can/should just be ignored in Postfix, 
when tested by testssl ...

Reply via email to