Jeremy Hicks wrote: > We have written a client that logs into a web application and then gets > redirected to a web resource. We want to use SSL during this process. > Everything seems to be working fine, but we noticed that abbreviated > handshakes are being done instead of a full handshake.
Jeremy, Here is my understanding of the situation: ___________________________ SSL session != HTTP session SSL is a stateful protocol. That's why there is the term "SSL session". As SSL is not something specific to HTML this session has nothing to do with HTTP session state (cookies, etc.). More specificly this session is not tied to a single connection. Like a HTTP session it usually spans multiple connections between the same endpoints. _______________________ SSL session stores keys SSL establishes a key pair with the host during a full handshake. This key pair is expensive (asymmetric encryption is slow) to generate. It is used to transfer a symmetric key (symmetric encryption is fast). This symmetric key and the asymmatric pair is subsequently cached in the SSL session. Typicall the key will expire after 24 hours and a new one will be generated. The abbreviated handshake uses this cached information to resume the session in a secure way with less computational overhead (by simply reusing the symmetric key). ________________________ Java SSL implementations JSSE is the Java standard for SSL implementations. Its interfaces are in javax.net.ssl. There you find the class SSLSession: http://java.sun.com/j2se/1.4.2/docs/api/javax/net/ssl/SSLSession.html SSL implementations have to implement this interface. The interface provides an invalidate() method. Access to the SSLSession object is possible through: * SSLSocket.getSession() * SSLContext.getInstance(...).getClientSessionContext().getSession(...) The client SSLSessionContext http://java.sun.com/j2se/1.4.2/docs/api/javax/net/ssl/SSLSessionContext.html also has methods to control the session cache size and the session timeout. This may be useful in your situation. Hope that helps. Ortwin Glück --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
