On Wed, Apr 03, 2019 at 06:09:59PM -0400, Viktor Dukhovni wrote:
> > Ah, right. Unlike GnuTLS, the STEK is tied to the SSL_CTX and,
> > as you say, Exim initialises that fresh per connection.
> > Rearchitecting that is more effort than it's worth spending
> > on TLS 1.2, I think.
>
> Well, the *default* STEK is in the SSL_CTX, but that is not a
> requirement, and you should use the default STEK, since it is
> not automatically rolled over.
[ Correction: ... should *not* use the default STEK, ... ]
For an example ticket callback implementation, see:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c#L294-L337
On line 315:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c#L315
either the matching keyset (current active for creating a new ticket,
either active or previous when decrypting an existing ticket) is
selected, and the requested HMAC_CTX and EVP_CIPHER_CTX structures
are initialized appropriately. Keyset, because the HMAC and AES
keys are separate. The ticket encryption algorithm chosen by Postfix
defaults to aes-256-cbc. OpenSSL does not support AEAD for ticket
encryption.
--
Viktor.
