On 16.11.2009 20:21, Jean-Marc Desperrier wrote: > Jean-Marc Desperrier wrote: > An interesting point is that firefox is *not* reusing the ssl session in > that case, for some reason it sends a SessionID of 0 after the "Hello > Request" from the server. I'll forward that to the NSS team, because if > that behavior continues, it will be no use to implement the IETF draft > for secure renegociation, it will fail all the same.
Only concerning empty session id: during testing the renegotiation fix I was also looking at session IDs and got aware, that the TLS session ticket extension will move the session status to the client. In this case the requests belonging to the initial connection to the server will not carry a session id. Later connections from the same client will provide some client generated id to the server that the server replaces it by a new one. The session ticket extension allows the server to not maintain the session data in its own cache. In the presence of the session ticket extension, session IDs observed on the server are no longer a good measurement for session reuse. In Firefox's about:config you can filter fot "tls" and switch session tickets off. Regards, Rainer
