Re: Negotiating new session params when there are multiple connections on the session?

Wed, 20 Jan 1999 04:56:36 -0500 

David Taylor wrote:
> 
> I have a question about session param negotiation when there are a
> number of connections attached to the session.
> 
> If the cipher suite stays the same, I imagine everything works fine as
> the new session params really only generate connection state (bulk
> cipher keys, IVs etc). So the connection that instigated the negotiation
> will get new keys and the rest will continue to use their old keys.
> 
> What happens if the cipher suite changes? This might seem silly at
> first, as you'd imagine the best available cipher suite was chosen to
> being with - but looking at the Javasoft SSL specs there are calls into
> the session to dynamically enable and disable cipher suites. So if an
> app disabled the cipher suite currently in use on a session and then
> forced a negotiation to occur the cipher suite on that session would
> change and the other connections would not be able to work anymore...
> 
> What does OpenSSL do in this case? Does it forbid the cipher suite to
> change if there is more than one connection on a session - only allowing
> the connection keys etc to change?

a) OpenSSL won't know, in general, how many connections there are on a
session.

b) Since you can negotiate to reuse a session, even if it did it
wouldn't help.

c) If multiple connections _are_ sharing a session, session caching must
be external to OpenSSL (currently), so the question really is "what does
the external session cache do?"

OTOH, wouldn't renegotiation change the session ID and thus avoid the
problem? (I'm saying this without checking, but it seems the obvious
thing to do).

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to