Dear Ladies and Gentlemen,
I am writing to ask your help about perplexing browser behaviour and
the usefulness, for anything but performance, of the SSL Session ID.
We would like to use the environment variable (created by apache_ +
mod_ssl) SSL_SESSION_ID to identify (to an application) a transaction
(such as lodging a document so that its no reputable, condidential
etc).
Unfortunately, IE re prompts the user to supply a client certificate -
in this case the server insists that clients validate their identity -
before it gets each part of the HTTPS page.
>From the (mod_ssl + Apache) server point of view, the SSL session is
logged as being new every time.
Please would you let me know what's going on, on where to look ?
Is the SSL_SESSION_ID useful for other things than eliminating the SSL
Handshake (and therefore saving the cost of SSL session setup) ?
Thank you.
Yours sincerely,
S Hopcroft
Network Specialist
IP Australia
+61 2 6283 3189
+61 2 6281 1353 FAX
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
