On Fri, Nov 14, 2014 at 06:41:52PM +0100, Matthias Schneider wrote:
> It would be great if there would be some kind of TLS debugging to log
> successful and not successful TLS session reusing.
The present TLS log levels are too coarse. You'd get the data in
question at log level 2, but so much other logging along with it,
that your system performance would degrade considerably under
logging I/O pressure.
So for now, you'll need to tune by hand for a few large receiving
domains. As for hotmail, it seems unlikely that "unsalted" sessions
would work better, they don't support session tickets:
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect:SSLv3 read server hello A
posttls-finger: SSL_connect:SSLv3 read server certificate A
posttls-finger: SSL_connect:SSLv3 read server key exchange A
posttls-finger: SSL_connect:SSLv3 read server done A
posttls-finger: SSL_connect:SSLv3 write client key exchange A
posttls-finger: SSL_connect:SSLv3 write change cipher spec A
posttls-finger: SSL_connect:SSLv3 write finished A
posttls-finger: SSL_connect:SSLv3 flush data
posttls-finger: SSL_connect:SSLv3 read finished A
so are unlikely to have a unified cross-server cache. Compare with:
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect:SSLv3 read server hello A
posttls-finger: SSL_connect:SSLv3 read server certificate A
posttls-finger: SSL_connect:SSLv3 read server key exchange A
posttls-finger: SSL_connect:SSLv3 read server done A
posttls-finger: SSL_connect:SSLv3 write client key exchange A
posttls-finger: SSL_connect:SSLv3 write change cipher spec A
posttls-finger: SSL_connect:SSLv3 write finished A
posttls-finger: SSL_connect:SSLv3 flush data
-> posttls-finger: SSL_connect:SSLv3 read server session ticket A
posttls-finger: SSL_connect:SSLv3 read finished A
for Gmail (these messages are from "posttls-finger -Ldebug").
--
Viktor.
