David Benjamin

It sounds like there may actually be two bugs here: > The first session that was supposed to be nudged out of the cache was still found on the server,...

>> Am I reading https://github.com/openssl/openssl/issues/18690#issuecomment-1175597452 correctly that you've got no concurrency here (threads or non-blocking I/O)? > > Correct, Postfix has a doggedly single-threaded/multi-process concurrency model. The emphasis is on...

OpenSSL already implements `SSL_export_keying_material`. Or is the request for a convenience wrapper specific to the tls-exporter channel binding?

PKCS#12 files do not store their certificates in any particular order. OpenSSL uses the private key to match find which one is "the" certificate vs. additional CA certs. Without a...

That's not in the format you've exported to here. The PKCS#12 format does not know what an `-in` parameter is, nor does it otherwise distinguish one of the certificate as...

It's been a while since I'd looked at this, so I don't remember the details (and am currently sick so limited time to dig into it). I think that TODO...

I don't know anything about this stuff, sorry. (Also not sure what the current behavior is to begin with... ask git log or mmenke? Dunno what his Github is.)

Does Chrome disallow it by way of special-casing localhost, or is it because localhost is treated as an eTLD and eTLDs can't set domain attributes? I assumed it was the...

If the server sends back a 403 mechanism, would you expect clients to act on this? I'm not aware of any client today that uses HTTP error codes to inform...

Moving this out of CSP seems like a step backwards to me. By the time the UA receives `Cookie-Scope`, cookies have already been sent. So, on the cookie reading side,...