Hi, The last few days I scanned the web for problems regarding Netscape Navigator and SSL but I only came across those MSIE related threads here on the list (I/O errors, EXP56, just to name a few details). One of those postings sent by Ralf Engelschall includes the following > Bascially there are three approaches: 1. the unclean approach where no close > notify alerts are send or received (violates the SSL/TLS standard), 2. the > accurate approach where close notify alert is send and the close notify of the > client received (can cause hanging connections) and 3. (the default!) where > mod_ssl sends the close notify but doesn't wait for the clients close notify > (which _IS_ standard compliant!). What I'm interessted in is the statement regarding the compliance to the standard when solving the MSIE problem using approach 3. My questions is : When one party just sends the CloseNotify and does not wait for the respective answer the session is allowed/not allowed to be resumed ? The spec reads here: > 5.4.1 Closure alerts > > The client and the server must share knowledge that the connection > is ending in order to avoid a truncation attack. Either party may > initiate the exchange of closing messages. > > close_notify This message notifies the recipient that the > sender will not send any more messages on this > connection. The session becomes unresumable if > any connection is terminated without proper > close_notify messages with level equal to > warning. > > Either party may initiate a close by sending a close_notify alert. > Any data received after a closure alert is ignored. > > Each party is required to send a close_notify alert before closing > the write side of the connection. It is required that the other > party respond with a close_notify alert of its own and close down > the connection immediately, discarding any pending writes. It is > not required for the initiator of the close to wait for the > responding close_notify alert before closing the read side of the > connection. > > NB: It is assumed that closing a connection reliably delivers > pending data before destroying the transport. In particular my problem is the side by side comparison of those two sentences 1. > The session becomes unresumable if any connection > is terminated without proper close_notify messages > with level equal to warning. 2. > It is not required for the initiator of the close to wait for the > responding close_notify alert before closing the read side of the > connection. The standard is not violated though but approach 3 will give you the same performance penalties as approach 1. In my understanding you can not resume a session without having send a CloseNotify as well as having received one. Probably someone can comment on this or tell me about the de-facto standard resp. the way it is implemented in most of the SSL aware client/server software.
begin:vcard n:Langaker;Harald x-mozilla-html:FALSE org:<p align=right><b><font color=green>SECUDE </font></b><font color=gray><i> Sicherheitstechnologie<br>Informationssysteme GmbH<br><font color=green>e-security for e-business</font></i></p> version:2.1 email;internet:[EMAIL PROTECTED] title:<hr size=1> note:<hr size=1>German WWW: <a href=http://www.secude.de>http://www.secude.de</a></br>English WWW: <a href=http://www.secude.com>http://www.secude.com</a> adr;quoted-printable:;;Dolivorstr. 11=0D=0A;Darmstadt;;64293;Germany fn:Harald Langaker end:vcard
