Neff Robert A <[EMAIL PROTECTED]> writes: > I loved your book. Ordered it from B&N as soon as > I saw it. Helped me overcome some early initial > mindblocks when first integrating with OpenSSL. > For those of you reading this, Erik's book is > titled: SSL and TLS - Designing and Building > Secure Systems and is published by Addison-Wesley. Thanks for the plug. Always glad to meet a satisfied reader :)
> After reading your reply, I agree that the server should > be receiving an alert prior to the FIN indicating the > error condition which occurred on the client. Unfortunately, it's very hard to see how to do this correctly. If the client sends a fatal alert before it consults the user then the session won't be resumed (see below). OTOH, servers don't really know what to do with a warning level bad_certificate alert. > Perhaps > I should have qualified that my expectations of an HTTP > SSL connection from a client should not hold a connection > open on a server while the user waits god-knows-how-long > to decide whether to accept a cert or not. Most users > don't have a clue why they see that dialog box anyway. This isn't really that bad. Remember that modern HTTP connections often get held open for quite some time due to HTTP connection persistence. > However, you realize that no session prior to this > point would have been established on the server for that > user as the cert was not previously authenticated... The session is established by IE when it it initiates the first connection. I.e. IE doesn't just close the connection, it finishes the SSL handshake completely before it pops up the error. When it reconnects it attempts to resume the session. Most servers allow it to do so. See the diagram and discussion on pages 309-313 of "SSL and TLS", especially the diagram on p 313 which shows IE's behavior. (However: note that there's an error in the first printing. There should be a TCP FIN from the client prior to the server's first close_notify). This is fixed in the second printing. If you have the first printing, you may want to draw in the appropriate arrow :) -Ekr ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
