# TLS client: tls-on-connect # # For packet-capture, use "runtest -keep" and add (at least) tls debug on the daemon line. # For GnuTLS, additionally run the daemon under sudo. # Tell wireshark to use DIR/spool/sslkeys for Master Secret log, and decode TCP/1225 as TLS, TLS/1225 as SMTP # # We get (TLS1.3 , OpenSSL): # SYN > # < SYN,ACK # ACK > # Client Hello > # < Server Hello, Change Ciph, Extensions, Cert, Cert Verify, Finished # Change Ciph,Finsh > # < Banner # EHLO > # < EHLO resp # MAIL,RCPT,DATA > # < ACK,ACK,DATA-go-ahead # # GnuTLS splits both the server records and the client response pair over two TCP segments: # Client Hello > # < Server Hello, Change Ciph # Change Ciph > # < Extensins, Cert, Cert Verify, Finished # Finished > # (otherwise the same). The extra segments are piplined and do not incur an extra roundtrip time. # # To see that pipelining: # sudo tc qdisc add dev lo root netem delay 50ms / sudo tc qdisc delete dev lo root # # To test TFO, enable in the transport in the conf/ file # With TFO we get the Client Hello on the SYN, and the initial Server segment pipelined with/after the SYN,ACK # and before the 3rd-ACK. We still can't merge the 3rd-ACK with the second Client record set, # but it does ack the initial Server data. # # To see the TFO((R): # First clear any previously-obtained cookie: #sudo perl #open(INFO, "-|", "/usr/bin/uname -s"); #$_ = ; #if (/^FreeBSD/) { #system("sysctl net.inet.tcp.fastopen.client_enable=0"); system("sysctl net.inet.tcp.fastopen.client_enable=1"); #} else { #system ("[ -e /proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_sec ] && echo 0 > /proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_sec"); #system ("ip tcp_metrics delete 127.0.0.1"); #} # #**** # # # sudo exim -DSERVER=server -d+tls -bd -oX PORT_D exim -DSERVER=server -bd -oX PORT_D **** exim CALLER@test.ex Test message. Contains FF: ÿ **** exim CALLER@test.ex abcd@test.ex xyz@test.ex Test message to two different hosts **** exim -v -qf **** killdaemon exim -DSERVER=server -DNOTDAEMON -qf ****