DevHeads.net

TLS session tickets versus TLS session cache

Hi,

I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:

“As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”

I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.

For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?

Thanks,

- J

Comments

Re: TLS session tickets versus TLS session cache

By Viktor Dukhovni at 12/29/2017 - 15:06

And rightly so, since session tickets enable session resumption with
stateless *servers*. The server state is delegated to the client in
the form of a session ticket. Server caches go away, and client caches
get bigger!

Only the server.

Re: TLS session tickets versus TLS session cache

By J Doe at 12/30/2017 - 12:33

Hi Viktor,

Thank you for your prompt reply. Ok, that makes sense - especially the part about the caches going away and delegating the storage to the client.

- J