Re: [AOLSERVER] OT: gearing for speed.... (caching connections)
At 05:12 AM 8/30/2002, you wrote: SSL requires a 7-step handshake between the two systems in order to establish an SSL connection before any data can be passed. This handshake also requires multiple cryptographic operations including generation of a fairly small random number, as well as disk accesses of the digital certificate files for authentication. SSL session establishment takes a bit of time. To compensate for this, most SSL implementations will cache connections between two systems so that what appears to the application writer as a second session, runs over an existing SSL connection. Even so, there is some overhead in the encryption once the session has been established. I have an application where two AOLserver instances on two different nodes are going to have lots and lots of communication between themselves -- I would prefer to keep the connections transient, but want to know what the alternatives are. It's interesting to know that nsopenssl/nsssl may already be doing some of this. Can you tell me more about how this connection caching is done in AOLserver? Is it handled entirely within nsopenssl/nsssl? Is it actually keeping the TCP/IP connection open, or just caching some of the SSL/crypto data? If the latter, how does it determine a new request is actually part of an old SSL session? Thanks, Jerry
Re: [AOLSERVER] OT: gearing for speed.... (caching connections)
nsopenssl would give you the ability to talk between your servers directly. SSL session caching allows a client and server to set up the initial connection, and then share a long random id. The server uses the id as a key and caches the SSL conn info, such as the keys, ciphers and so on used for the connection. When the client connects again and passes this id. If session caching is turned on in nsopenssl, then the client and server don't have to go throught the whole SSL setup procedure again. The session caching capability is managed by the OpenSSL library internally. BTW, if you're using nsopenssl ALWAYS TURN ON SESSION CACHING. MSIE doesn't work properly without it. /s. I have an application where two AOLserver instances on two different nodes are going to have lots and lots of communication between themselves -- I would prefer to keep the connections transient, but want to know what the alternatives are. It's interesting to know that nsopenssl/nsssl may already be doing some of this. Can you tell me more about how this connection caching is done in AOLserver? Is it handled entirely within nsopenssl/nsssl? Is it actually keeping the TCP/IP connection open, or just caching some of the SSL/crypto data? If the latter, how does it determine a new request is actually part of an old SSL session? Thanks, Jerry -- Scott Goodwin [EMAIL PROTECTED] http://scottg.net
