Does anyone know how SSL Servers maintains its SSL Session ID Table so it know that a SSL Session ID that is being reused is still valid? What I'm trying to determine is if it keeps track of the session id and the client ip or is it something else that the server uses to keep track of the sessions. Thanks! asked 14 Feb '12, 14:45 seyerekim |
2 Answers:
AFAIK the SSL SessionID is used (without client IP address) as both Client and Server need to cache the keying material for the particular session to be able to re-use it. Both the client and the server have a (individual) lifetime on the session (so an absolute timeout instead of an idle timeout). The SSL SessionID is used to fetch the keying material from cache to prevent the full SSL handshake (which is CPU intensive). In TLS there is a mechanism called TLS session Tickets to remove the need for a session cache on the server. The server will encrypt the keying material in a session ticket and send it to the client. The client caches it and will send it back to the server when setting up a new session. answered 15 Feb '12, 03:09 SYN-bit ♦♦ |
Many server-side implementations will associate the SessionID with a particular source IP address as a security measure and will reject any attempt to reuse that Session from a different source. Also the typical server will time out the Session cache after a period of time (~5 minutes). The answer to your question will depend on just what framework was used to build the server AND what additional parameters or controls the server application itself may impose. answered 20 Mar '12, 19:03 inetdog |