Bernard Spil

That is not my understanding... Luckily backed up by Qualys SSLlabs :smile: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf > Renew certificates every year, always with new private keys. Thing is that you want to prevent...

Generating a new private key will require some form of backup or temporary key/cert in any case. If the certificate renewal fails you don't want to have the working cert/key...

Similar behavior here ``` # pkg upg -f Updating myrepo repository catalogue... myrepo repository is up to date. All repositories are up to date. Checking for upgrades (185 candidates): 71%...

I was assuming this for the `ClientHello` responses, thanks for confirming! I was trying to be terse in the opening as I was unsure what info (apart from captures) was...

Mistakenly closed the issue... Reopening

A successful `Server Hello` response does contain the `ec_point_formats`. Note that here the session id _is_ echoed. ``` TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version:...

Shared the `-s 0` pcap (3.7MB) via email. Checked a failing transmission again, and the `ec_point_formats` don't show up in Wireshark's UI for the `ServerHello`, e.g. frame 206 in the...

> FWIW, when I use "posttls-finger" to probe resumption with the OP's server with TLS 1.2 and session tickets disabled, I see normal resumption with a matching session id. @vdukhovni...

> **Please share the content of the Debian-provided "openssl.cnf" file**, it may contain settings that trigger this somehow. Of course the theory that `not_resumable` is the factor in play here...

This is a duplicate of #43 Nevertheless, SHA-0 is not just phased-out, it should never even have been part of OpenSSL. Anywhere it is used that is in error, you...