[openssl-users] OpenSSL - Session Resumption on an On-going Connection

Filipe Fernandes filipe.mfgfernandes at gmail.com
Thu Nov 22 11:15:46 UTC 2018


>   I thought you wanted renegotiation, not resumption, servers can't
>   do "resumption", because resumption is what you do to avoid a full
>   handshake on a *new* connection, and only the client can reconnect.

Ok. Agreed.

>   You seem to be confused, and have not explained your requirements
>   clearly.  What is your *goal*?

My goal is to have the Openssl to "perform the TLS Resumption (initiated by
the Hello Request message from the server or
the Client Hello message from the client), in an ongoing TLS Session."
(it's specifically stated on the spec, like this).

>   What does "always on" mean to you?

Always on, means that the socket connection is up for as long as it is
possible, meaning that the socket is not closed and it keeps exchanging
information all the time (server<->client)

>   Only clients can resume previous
>   sessions, when reconnecting to a server.  Is that what you're trying
>   to do? (Implement a server with a session cache for client resumption?

I'm developing the server side with OpenSSL 1.0.2. And it supports cache
(I've activated it on the method SSL_CTX_set_session_cache_mode).

>   Support session tickets? Is there just one server or a server "farm"?
>   Do the clients support resumption?)

There's only 1 server, not a farm.

How can I tell if the client supports resumption?


>   Or are you trying to periodically rekey a long-running connection?

Maybe this is it.

For me, Renegotiation is request "everything" (new pubkey, certificates,
etc)
Resumption, is just to refresh the keys? I'm a little confused here.

>
>   Or something else?

I think this is it :)


On Wed, 21 Nov 2018 at 23:12, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:

> On Wed, Nov 21, 2018 at 05:45:19PM +0000, Filipe Fernandes wrote:
>
> > I've followed your example, and it looks like the server is doing what
> it's
> > supposed to, however, I'm getting a disconnect from the server when the
> > session expires. Which should not happen, and I can't seem to find a
> reason
> > for this to be happening.
> >
> > As previously said, I'm developing a server that handles always-on TLS
> > connections, and I'm trying to perform a session resumption.
>
> I thought you wanted renegotiation, not resumption, servers can't
> do "resumption", because resumption is what you do to avoid a full
> handshake on a *new* connection, and only the client can reconnect.
>
> You seem to be confused, and have not explained your requirements
> clearly.  What is your *goal*?
>
> What does "always on" mean to you?  Only clients can resume previous
> sessions, when reconnecting to a server.  Is that what you're trying
> to do? (Implement a server with a session cache for client resumption?
> Support session tickets? Is there just one server or a server "farm"?
> Do the clients support resumption?)
>
> Or are you trying to periodically rekey a long-running connection?
>
> Or something else?
>
> --
>         Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181122/5f1ad152/attachment.html>


More information about the openssl-users mailing list