Re: ssl handshake with multiple tcp connect?
Hello David, thanks for your reply, and that's correct. that was it for gnutls-cli. after a confusing day, one of the original item triggered my firefox browser, i thought reproduced with gnutls-cli. In the end it was a simpel favicon issue, which kept connecting (no cache). regards, On Thu, 2011-08-25 at 23:00 -0700, David Schwartz wrote: On 8/25/2011 6:04 AM, Arjan Filius wrote: Hello, today i ran into a situation, where i notice firefox/chrome and gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl s_client takes only one. one tcp session is what i expect, and i hope someone may have an explanation. compared the gnutls-cli with openssl s_client as thay would do no http interpretation, and are easely reproduced by commandline: gnutls-cli --insecure -V -r www.xs4all.nl /dev/null uses 3 tcp sessions to complete openssl s_client -connect www.xs4all.nl:443 /dev/null uses 1 tcp session to complete Any idea how that may come? until now, i was under the impression a ssl session setup should only use 1 tcp session (apart from ocsp/crl checks) Why are you passing '-r' to gnutls-cli? You are asking it to try to resume the session on a new TCP connection. (I count two connections.) DS
ssl handshake with multiple tcp connect?
Hello, today i ran into a situation, where i notice firefox/chrome and gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl s_client takes only one. one tcp session is what i expect, and i hope someone may have an explanation. compared the gnutls-cli with openssl s_client as thay would do no http interpretation, and are easely reproduced by commandline: gnutls-cli --insecure -V -r www.xs4all.nl /dev/null uses 3 tcp sessions to complete openssl s_client -connect www.xs4all.nl:443 /dev/null uses 1 tcp session to complete Any idea how that may come? until now, i was under the impression a ssl session setup should only use 1 tcp session (apart from ocsp/crl checks) Thanks in advance Regards, -- Arjan Filius mailto:iafil...@xs4all.nl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
loadbalancer affinity/persistence with tls sessiontickets
Hello, a question about ssl persistence in loadbalancers. Until now we'd used SSL Session ID in loadbalancer to get some ssl and application affinity to the backend. But is it possible with the TSL sessiontickets extension? In the first tcp/ssl session i can't see any ssl session ID, (as it is negotiated then) but in the second and further sessions i can see session id's (and tls sesiontickets). Does one know it the tls sessionticket consept could work with loadbalancer afinity/persistence? Thanks in advance, Regards, -- Arjan Filius mailto:iafil...@xs4all.nl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org