Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL/TLS question...

0 views
Skip to first unread message

barcaroller

unread,
Nov 7, 2009, 5:20:12 PM11/7/09
to

The TLS RFC refers to _multiple_ TCP/IP connections per SSL session. Does
this mean that an SSL session can have multiple (simultaneous) TCP
connections going in parallel or does it simply mean that an SSL session can
have multiple, sequential (resumed) TCP connections, one at a time?

It is my understanding that an SSL session applies to one source IP/port
pair and one destination IP/port pair, so I'm inclined to lean towards the
latter.


EJP

unread,
Nov 12, 2009, 2:19:03 AM11/12/09
to
barcaroller wrote:
> Does
> this mean that an SSL session can have multiple (simultaneous) TCP
> connections going in parallel

Yes.

> or does it simply mean that an SSL session can
> have multiple, sequential (resumed) TCP connections, one at a time?

Again yes.

> It is my understanding that an SSL session applies to one source IP/port
> pair and one destination IP/port pair

No.

David Thompson

unread,
Nov 19, 2009, 1:40:19 AM11/19/09
to
On Sat, 7 Nov 2009 17:20:12 -0500, "barcaroller"
<barca...@music.net> wrote:

>
> The TLS RFC refers to _multiple_ TCP/IP connections per SSL session. Does
> this mean that an SSL session can have multiple (simultaneous) TCP
> connections going in parallel or does it simply mean that an SSL session can
> have multiple, sequential (resumed) TCP connections, one at a time?
>

Both, but in my experience more commonly the latter.

An SSL/TLS 'session' saves the (negotiated) crypto settings. So e.g.
you do one connection, do the relatively expensive and slow key
establishment and usually authentication (RSA or DH or ECDH possibly
plus DSA or ECDSA), then send and/or receive data, and disconnect;
then connect again and quickly continue to send and/or receive data,
or overlapping the original to quickly send/receive other data.

Subject to any limitations either system (but usually the server)
imposes on how much resources a given partner is allowed to use.
And possibly the limitations on how much data should be protected with
one set of DEKs before rekeying, which in SSL/TLS is renegotiation.

Especially with HTTP/1.0 which (officially) required separate TCP
connection per transaction=resource this was a pretty big win.

> It is my understanding that an SSL session applies to one source IP/port
> pair and one destination IP/port pair, so I'm inclined to lean towards the
> latter.
>

SSL/TLS connections within a session don't have to use the same TCP/IP
parameters. The session is identified by an up-to-32-octet value
assigned by the server. If a client having the session params, using
any address and port, reaches a server, using any address and port,
that has (or can get) the same session params, they can 'resume'.
The useful case for this is failover or pooling. Of course you need to
restrict it somehow; you don't want to allow security that was set-up
for Alice to Bob to be used by Carol. You might *choose* to use it
only for same addresses and maybe even ports for simplicity.

barcaroller

unread,
Nov 20, 2009, 5:52:59 PM11/20/09
to

"David Thompson" <dave.th...@verizon.net> wrote:

> Both, but in my experience more commonly the latter.
>
> An SSL/TLS 'session' saves the (negotiated) crypto settings. So e.g.
> you do one connection, do the relatively expensive and slow key
> establishment and usually authentication (RSA or DH or ECDH possibly
> plus DSA or ECDSA), then send and/or receive data, and disconnect;
> then connect again and quickly continue to send and/or receive data,
> or overlapping the original to quickly send/receive other data.
>
> Subject to any limitations either system (but usually the server)
> imposes on how much resources a given partner is allowed to use.
> And possibly the limitations on how much data should be protected with
> one set of DEKs before rekeying, which in SSL/TLS is renegotiation.
>
> Especially with HTTP/1.0 which (officially) required separate TCP
> connection per transaction=resource this was a pretty big win.
>

> SSL/TLS connections within a session don't have to use the same TCP/IP
> parameters. The session is identified by an up-to-32-octet value
> assigned by the server. If a client having the session params, using
> any address and port, reaches a server, using any address and port,
> that has (or can get) the same session params, they can 'resume'.
> The useful case for this is failover or pooling. Of course you need to
> restrict it somehow; you don't want to allow security that was set-up
> for Alice to Bob to be used by Carol. You might *choose* to use it
> only for same addresses and maybe even ports for simplicity.

Thanks for the detailed info; it was very useful.


0 new messages