If I understand this thread correctly, you apparently think that the
browser's don't routinely use the SSL session resumption feature.
But in fact browsers DO routinely use the SSL session resumption feature.
A crucial point to understand here is that for SSL purposes, a browser
defines a "server" as the combination of an IP address, port number, and host
name.
When a browser visits a server with the same host name (as found in the URL)
IP address and port number as one it has previously contacted, it will
attempt to reuse the SSL session it has previously established with that
server. It always does that. It doesn't have to be told to do so, and
in fact cannot be told not to.
It is possible for two different servers to share an SSL session cache;
that is, to share one set of SSL session identifiers, but it is not possible,
in general for a client to know whether two different servers do so, or not.
That is one reason why the client does not attempt to reuse an SSL session
ID from one server (one hostname, IP address, port number triplet) with any
other server.
Another reason why a client should not, in general, attempt to reuse SSL
session ID info between multiple servers (even if they're on the same IP
address) is that those servers may represent different security domains,
even if they share an SSL session cache. There are certain security
attacks that can be exploited if a browser violates this rule. Certain
old versions of Netscape browsers did not properly enforce this under
all circumstances, and that was "exposed" as a nasty security flaw.
So, in general, attempting to use a single SSL session ID between a client
and multple "servers" (host name, IP address, port number triplets) is not
a good idea.
--
Nelson Bolyard Sun / Netscape Alliance
Disclaimer: I speak for myself, not for Netscape
