Re: [TLS] Questions about TLS Server Name Indication extension

[Peter Gutmann <pgut001@cs.auckland.ac.nz>]

Nelson B Bolyard <nelson@bolyard.me> writes:

>In the context of a physical server acting as multiple virtual server, is the
>space of session IDs coming from that server a single space that encompasses
>all the sessions for all the virtual servers served by that physical server?
>Or does each virtual server have its own separate space?
>
>If each virtual server has its own separate session ID space, then when
>attempting to "resume" or "restart" a TLS session, the client hello MUST bear
>an SNI extension to inform the physical server which virtual server's session
>ID space contains the given session ID, and each virtual server potentially
>has its own separate session store/cache.
>
>OTOH, if there is a single session ID space for the entire physical server
>covering all the virtual servers, then each cached session must record and
>identify the virtual server with which it is associated.

Ah, I see what you mean now.  Well in general I don't think it's going to be
an issue, the session ID is a 32-byte blob so it's up to the server what it
puts in there, it can include a virtual server ID, cache ID, whatever it wants
in any format it requires.  In other words if the server wants to encode
configuration- or server architecture-specific details in the session ID then
the form and type is up to the server, you don't need an explicit SNI for
this, particularly since the free-form blob accomodates much more than just
the virtual server : cache ID pair that the SNI + session ID handles.

Peter.