Hi there,
On Wed, 13 Sep 2000, Stanley Hopcroft wrote:
> We would like to use the environment variable (created by apache_ +
> mod_ssl) SSL_SESSION_ID to identify (to an application) a transaction
> (such as lodging a document so that its no reputable, condidential
> etc).
not a recommended practise (see below).
> Is the SSL_SESSION_ID useful for other things than eliminating the SSL
> Handshake (and therefore saving the cost of SSL session setup) ?
Not really ... SSL itself is very much not a transactional protocol so
much as a stream protocol. Apart from sessions being resumable via session
caching (thus avoiding SSL session setup overheads), they are also
renegotiable at any time by either party regardless of what's going on at
the time (yeah, this is the hollywood rendition of the spec ... light on
details :-). In other words, from SSL's point of view, it would be
perfectly acceptable for either the server or browser to renegotiate the
SSL session being used in the encrypted stream half-way through
downloading a .gif image in a web page. From that angle, you might see
that relying on sessions being held open by client and server, and
renegotiated (or not) on the basis of some rational web-browsing logic is
very shaky ground indeed.
In practise however, HTTPS browsers and servers typically do not behave in
this way (renegotiating mid-download), at least not unless you try to prod
them to do so ... but it's certainly not recommended to try and rely too
much on the lifetime of SSL sessions from inside the application layer
that's on top of the SSL layer, at least not in transaction type
("question"/"answer") protocols, eg. https.
Cheers,
Geoff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
