>>>> Any chance you could provide (off-list if you prefer) a PCAP recording >>>> of a good and a problem TLS session? >>> >>> I'll send it off-list. >> >> Thanks. I hope that'll shed more light on what's going on. > > The diff between the "good" and "bad" handshakes is below. The main > features when tickets are enabled are: > > * A zero length server session id > * The server confirms ticket extension support > * The client just hangs up :-( > > The most likely issue is a Windows regression with zero length session > ids. I don't think there's anything that can be done here, the client > indicates support for session tickets, and since OpenSSL is then going > to issue a ticket, it does not assign a session id even with the default > setting (which you probably did not change): > > https://www.postfix.org/postconf.5.html#smtpd_tls_always_issue_session_ids > > smtpd_tls_always_issue_session_ids = yes
True, I did not set or change it and the default is "yes" here. For the time being I'll disable session tickets (at least) for submission. The performance impact is negligible in my case. Thanks for having a look! Best regards Gerald
