> Thanks for the useful experiment. It seems to me that if we were > to implement HTTP 1.1 keep-alive then this problem would go away, > right? That is, if the same TCP connection is used for a series > of requests then not its not an issue, right?
I altered the sample I was running to include a Connection: Keep-Alive header. The server (www.verisign.com) responds with a Connection: close header. I don't know whether this is typical for public commercial servers running SSL, of course, but it does remind us that at least some hosts will not enable keep-alive processing. > I wonder how browsers do it- when I'm using my Internet banking > stuff does it keep re-negotiating keys?? Or does it keep a single > socket connection open for the 30 mins say that I'm using it. The > latter seems extremely resource heavy on the server. I would like to know this as well. I have tested IE 5.5 and Mozilla 1.0 to a mutual fund company and found that connections are not being re-used. Since I cannot see the decrypted data, I cannot tell whether there was some attempt on the part of the browser to use keep-alive. What I'd really like to know is whether each connection has re-used the SSL session created for the first connection. Scott Nichol -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
