On 07/04/13 14:02, anonymous coward wrote: > The Tuber: > >> In SSL, if the client sends a session ID to resume a session, and the >> server accepts it, no certificate is sent. > > But this session ID is sent encrypted or checked against a certificate?
The session ID is sent in cleartext. The server (and client) will then use the session keys associated with the session ID. The idea being that if the current client is not the same as the original client, it will not have the session keys to be able to decrypt the traffic. There is no certificate interaction at all. Thanks. The Tuber _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
