httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Mon, 16 Nov 2009 22:03:47 GMT
On 16.11.2009 20:21, Jean-Marc Desperrier wrote:
> Jean-Marc Desperrier wrote:
> An interesting point is that firefox is *not* reusing the ssl session in
> that case, for some reason it sends a SessionID of 0 after the "Hello
> Request" from the server. I'll forward that to the NSS team, because if
> that behavior continues, it will be no use to implement the IETF draft
> for secure renegociation, it will fail all the same.

Only concerning empty session id: during testing the renegotiation fix I
was also looking at session IDs and got aware, that the TLS session
ticket extension will move the session status to the client. In this
case the requests belonging to the initial connection to the server will
not carry a session id. Later connections from the same client will
provide some client generated id to the server that the server replaces
it by a new one. The session ticket extension allows the server to not
maintain the session data in its own cache. In the presence of the
session ticket extension, session IDs observed on the server are no
longer a good measurement for session reuse.

In Firefox's about:config you can filter fot "tls" and switch session
tickets off.

Regards,

Rainer

Mime
View raw message