Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Abbreviated handshake

41 views
Skip to first unread message

Robin Seggelmann

unread,
Dec 3, 2008, 7:03:24 AM12/3/08
to
Is it possible to perform the shortened (session resumption)
handshake without reconnecting the socket? TLS 1.2 RFC 5246 states:

[ClientHello]
The session identifier MAY be from an earlier connection, this
connection, or from another currently active connection. The second
option is useful if the client only wishes to update the random
structures and derived values of a connection, and the third option
makes it possible to establish several independent secure connections
without repeating the full handshake protocol.

So it should be possible, but the only handshake related functions I
have found in OpenSSL are SSL_renegotiate and SSL_get_session/
SSL_set_session. The first always performs a full handshake and the
latter requires a new SSL object.

Regards,
Robin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

David Schwartz

unread,
Dec 3, 2008, 12:27:32 PM12/3/08
to

> Is it possible to perform the shortened (session resumption)
> handshake without reconnecting the socket? TLS 1.2 RFC 5246 states:

Yes.

> [ClientHello]
> The session identifier MAY be from an earlier connection, this
> connection, or from another currently active connection. The second
> option is useful if the client only wishes to update the random
> structures and derived values of a connection, and the third option
> makes it possible to establish several independent secure connections
> without repeating the full handshake protocol.
>
> So it should be possible, but the only handshake related functions I
> have found in OpenSSL are SSL_renegotiate and SSL_get_session/
> SSL_set_session. The first always performs a full handshake and the
> latter requires a new SSL object.

The new SSL object can become associated with the resumed session. An SSL
object is not a session, it's a handle to a session. An 'SSL' structure
contains a pointer to an SSL_SESSION. The SSL_SESSION is reference counted.
The "SSL_SESSION" object contains the information required to re-establish
the connection without a new handshake.

DS

0 new messages