Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
<home_pw@msn.com> Mon, 15 January 2007 19:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6XbZ-0000Q9-O8; Mon, 15 Jan 2007 14:34:53 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6XbX-0000Px-TU for tls@ietf.org; Mon, 15 Jan 2007 14:34:51 -0500
Received: from bay0-omc2-s38.bay0.hotmail.com ([65.54.246.174]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6XbV-0006c9-JS for tls@ietf.org; Mon, 15 Jan 2007 14:34:51 -0500
Received: from hotmail.com ([65.55.131.19]) by bay0-omc2-s38.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 15 Jan 2007 11:34:49 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jan 2007 11:34:48 -0800
Message-ID: <BAY126-DAV9C5D63E9834DF129DE58E92B50@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV9.phx.gbl with DAV; Mon, 15 Jan 2007 19:34:44 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: EKR <ekr@networkresonance.com>
References: <200701151803.TAA01170@uw1048.wdf.sap.corp><BAY126-DAV3FB5F2BEE682A4281A02A92B50@phx.gbl> <86tzys9kln.fsf@raman.networkresonance.com>
Subject: Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
Date: Mon, 15 Jan 2007 11:34:43 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 15 Jan 2007 19:34:48.0900 (UTC) FILETIME=[38211040:01C738DC]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> RFC 4346 S 7.3. > > If a match is found, and the server is willing to > re-establish the > connection under the specified session state, it will > send a > ServerHello with the same Session ID value. At this > point, both > client and server MUST send change cipher spec messages > and proceed > directly to finished messages. Once the > re-establishment is > complete, the client and server MAY begin to exchange > application > layer data. (See flow chart below.) If a Session ID > match is not > found, the server generates a new session ID and the TLS > client and > server perform a full handshake. > > In other words, refused session resumptions are totally > normal > behavior. Clients which treat them as anomalous are > confused. > > Yes, a client can terminate the connection at any time and > for > any reason, including that it doesn't like the phase of > the moon, > but that doesn't make the assumption that a server will > always > resume a session---presenting an error to the user if it > doesn't---any less insane. No such error occurred. This only partly reflects the case in question. I agree its the defining technical paragraph, tho (*). The server in Martin's case didn't find a match: that was the whole point. So, the last phrase controls. And, there is not a MUST in there. Ok. Lets conclude this, procedurally. Who agrees that TLS 1.2 shall be changed to:- "If a Session ID match is not found, the server generates a new session ID and the TLS client and server MUST perform a full handshake." With that settled, the next implementer get a nice, simple conformance case to test. No more interpretive arguments. ------ (*) I think THE FOLLOWING WAS BETTER WRITTEN personally " Sessions cannot be resumed unless both the client and server agree. If either party suspects that the session may have been compromised, or that certificates may have expired or been revoked, it should force a full handshake. " and lets not forget that maintaining a session resumption cache is OPTIONAL for a client in SSLv3. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex