+.new
+.section "Caching of static client configuration items" "SECTclientTLScache"
+.cindex certificate caching
+.cindex privatekey caching
+.cindex crl caching
+.cindex ciphers caching
+.cindex "CA bundle" caching
+.cindex "certificate authorities" caching
+.cindex tls_certificate caching
+.cindex tls_privatekey caching
+.cindex tls_crl caching
+.cindex tls_require_ciphers caching
+.cindex tls_verify_certificate caching
+.cindex caching certificate
+.cindex caching privatekey
+.cindex caching crl
+.cindex caching ciphers
+.cindex caching "certificate authorities
+If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%&
+and &%tls_crl%& have values with no
+expandable elements,
+then the associated information is loaded per smtp transport
+at daemon startup, at the start of a queue run, or on a
+command-line specified message delivery.
+It is made available
+to child processes forked for handling making SMTP connections.
+
+This caching is currently only supported under Linux.
+
+If caching is not possible, the load
+of the associated information is done at the startup of the TLS connection.
+
+The cache is invalidated in the daemon
+and reloaded after any changes to the directories
+containing files specified by these options.
+
+The information specified by the main option &%tls_verify_certificates%&
+is similarly cached so long as it specifies files explicitly
+or (under GnuTLS) is the string &"system,cache"&.
+The latter case is not automatically invaludated;
+it is the operator's responsibility to arrange for a daemon restart
+any time the system certificate authority bundle is updated.
+A HUP signal is sufficient for this.
+The value &"system"& results in no caching under GnuTLS.
+
+The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system"
+is acceptable in configurations for the Exim executavble.
+
+Caching of the system Certificate Authorities bundle can
+save siginificant time and processing on every TLS connection
+initiated by Exim.
+.wen
+
+
+
+