> Of course, it will be great to have a feature in OpenSSL > implementation iteslf that will enable SSL session handover / or > even session sharing between multiple related processes.
Session sharing is pretty hard to do. Handover is not quite as hard. I think that would be a really great feature. The trick is to create code to serialize (into BER, I would imagine) all of the SSL session state information into a form that is independent of any other structures. On the flip side, you need to create the session object from the BER data and then create session-private copies of any associated structures needed to support the session (and get rid of them when you're done with the session or hand it off). If you standardize the format, it should be possible to hand a session off even across different versions of OpenSSL and, eventually, across different SSL implementations. (Does anyone know if there is such a standard already?) > But I am > not quite sure if this would involve any security hazards like > session hijacking, that would in fact defete the purpose of SSL > (which is to provide security). SSL is only secure if the endpoints are secure. SSL secures the transport and ensures you got the endpoint you intended. However, there are some security issues that do need to be addressed. For example, to support renegotiation, you have to hand off the private key along with the session (I think). That could present some security issues in that anyone who ever gets a session would have to be trusted with the private key. Another possible issue might be that it would be difficult to get session handoff to work properly with session caching. In that case, the loss of session caching could make a DoS attack possible or easier. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]