Peter Gubis wrote:
On 13. 3. 2010 0:37, John R Pierce wrote:
our security auditors yanked the token out, and the client continues
to work, ..
you'll probably need to listen for token removal event and destroy this
ssl session after that.
It is working for us in this way. Session should be renegotiated after
token is inserted again.
this has migrated towards being a tomcat problem, I think. we would
like to enforce renegotation after each top level transaction in our
server app by closing the SSL socket, so the client is forced to restart
the SSL socket and renegotiate the session secret via its token based
private key. now, I know SSL sessions have some retry/resume
capability, we need to force the client to start the whole SSL session over.
what server action on an open SSL socket will ensure an OpenSSL 0.9.8
client starts all over and doesn't try and restart/resume the existing
session? should we send an SSL Alert then closing the socket ?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
