TLS: increase resumption ticket lifetime to 2 hours

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 8bd5aeda41697e58ba36582b25b9d91d9d0d8f24..df07c536c7373b31d54a047ec9edecff5aecda74 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -89,6 +89,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # endif
 #endif
 
+#ifdef EXPERIMENTAL_TLS_RESUME
+# if GNUTLS_VERSION_NUMBER < 0x030603
+#  error GNUTLS version too early for session-resumption
+# endif
+#endif
+
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
 #endif
@@ -209,7 +215,7 @@ don't want to repeat this. */
 
 static gnutls_dh_params_t dh_server_params = NULL;
 
-static int ssl_session_timeout = 3600; /* One hour */
+static int ssl_session_timeout = 7200; /* Two hours */
 
 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
 
@@ -2451,7 +2457,9 @@ if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
   tlsp->resumption |= RESUME_CLIENT_REQUESTED;
   if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
     {
-    /* key for the db is the IP */
+    /* Key for the db is the IP.  We'd like to filter the retrieved session
+    for ticket advisory expiry, but 3.6.1 seems to give no access to that */
+
     if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
       if (!(rc = gnutls_session_set_data(session,
                    CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))