Problem with Session Caching (Client Side)
Lutz, Thanks for the response. I read the post after I posted it too (Around midnight and my pillow was calling) and could not understand what I had written myself!! The point is this: I am writing a client side application which connects to a defined number of servers to perform a kind of user validation. These Servers are WebSphere Servers. In My Test Env I have an SSL Server, which is a part of an IBM WebSeal installation. It has an HTTPS server. I know from tests using a JAVA JCE (from IAIK in Austria) Package that I have to turn on a certain 'workaround' when connecting to this server, to sucessfully re-use SSL Sessions. That flag in the JAVA JCE Package is described as: > "cache terminated sessions: A boolean value determining whether or not > to resume sessions that have not been properly shutdown. Per spec this > should not be done, this exists only to improve performance when > communicating with bad server implementations. defqult: false" If I di not turn this flag on, my SSL Sessions are not cached. Noz I assumed (most probably incorrectly) that there is session caching built into OpenSSL. I notcied that the are SSL_CTX_set_cache_mode() and SSL_CTX_set_cache_size() etc, funtions, as well as the ability to do caching by yourself using the cache callbacks. I looged at the apps/openssl code (s_client.c) and saw how the -reconnect option worked, as this re-used the same session numbers. I use the same SSL_CTX for all my sessions and have called SSL_CTX_set_session_cache_mode() with SSL_SESS_CACHE_CLIENT to use client caching. But after that I am not sure what I need to do. After completeing a write/read cycle on a SSL_SESSION what do I need to do with it to get it cached?? I do a SSL_SESSION_free to sloce the session, but I assume that that is no good. I also tried SSL_set_connect_state (cause I saw that in the apps/s_client.c code)... >> Are you aware that even a cached session is not automatically reused for >> the next SSL_connect() but that you have to call SSL_set_session() >> explicitly? No I was not aware, but where can I find some doco that would make me aware? Thanks for the tip. >> - extract the session before terminating and store it seperatly. >> I do use this approach for Postfix/TLS (not for the reason mentioned >> but for persistent storage). Do you mean the SSL_SESSION struct (gotten through SSL_get_session() function)? - the "correct" closing happens when SSL_shutdown() is being called. The necessary flag is set whether or not SSL_shutdown() could notify the peer or not, so the behaviour of the peer should not matter. (I just cross checked in the source code, did not verify it myself, but it should work this way :-) So as far as I understand, I need to: - Get the SSL_SESSION ref out of a connection with SSL_get_session(). - store it away for later re-use - close the connection with SSL_shutdown() Then when I need to reconnect: - check that the connection goes to the same server - create a connection with SSL_new and set the fd with (SSL_set_fd()) - set the session with SSL_set_session() using the SSL_SESSION ref I looked up - do my read and write - store it away for later re-use - close the connection with SSL_shutdown() I hope that this is correct. As the Doco and help is really bad and scarce (Not blaming anyone, just a fact) I can not make hide nor hare of what I am supposed to do and NOT supposed to do. Maybe someone here can point me to a good reference somewhere. -- Gil Peeters BVBA CANCAS I.T. Willemsstraat 2 3000 Leuven Belgium JAVA and Distributed Object Specialists __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_shutdown() ?
After calling SSL_shutdown() is it still nesc to close the underlying socket associated with the SSL Connection? Is it also nesc to free() the SSL stuct return from SSL_new() or is that done somewher in the shutdown? Thnaks in advance G. -- - Gil Peeters CANCAS I.T. (bvba) Willemsstraat 2 3000 Leuven, Belgium - JAVA and Distributed Object Specialists - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_shutdown() ?
Lutz Jaenicke wrote: > On Sun, Feb 04, 2001 at 06:12:39PM +0100, Gil Peeters wrote: > > After calling SSL_shutdown() is it still nesc to close the underlying > > socket associated with the SSL Connection? > > SSL_shutdown() will only send the close-alert to the peer and switch the > setting of the SSL to "shutdown mode". > It does not touch the underlying connection, so: yes, you have to close the > underlying socket connection yourself. So closing the socket will not hurt. Will this be a problem if I want to re-use the session??? i.e will closing the userlying socket cause problems when re-using the session info. > > > > Is it also nesc to free() the SSL stuct return from SSL_new() or is that > > done somewher in the shutdown? > Once you have called SSL_shutdown(), you can either free the SSL object > via SSL_free() (call SSL_new() to obtain a new one later) or call > SSL_clear() to reset the SSL object and make it ready for a new connection. I notice in the code for SSL_free that the SSL_SESSION is also freed. (call to SS_SESSIO_free). Will the SSL_SESSION still be 'cached' because I told the SSL_CTX to cahce client sessions? Thanks again. -- - Gil Peeters CANCAS I.T. (bvba) Willemsstraat 2 3000 Leuven, Belgium - JAVA and Distributed Object Specialists - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
MITM Paper....
>> "Just like Kurt Seifert's paper describes >> MITM attacks that depend on user stupidity >> (ignoring warnings about CN not matching >> or expired or unknown CA)." Would anyone have a reference to this paper?? This is a point I have been trying to make to some "security" people where I am currently contracting. G. -- ======== Gil Peeters BVBA CANCAS I.T. Willemsstraat 2 3000 Leuven Belgium JAVA and Distributed Object Specialists __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: NAT + mod_ssl
I have a NetGear RT311 (Great box) which does it all... You do have to specify which internal IP address that incoming requests should go to. (i.e. if your OpenSSL server runs on pc with an internal (INTRANET) IP address 10.0.0.99, you need to configure requests oin port 443 to go to that machine) Grill. "Leland V. Lammert" wrote: > > At 11:01 AM 2/22/01 +0530, you wrote: > >Forgive my possible ignorance, but the common name of the certificate would > >have to match the NATed apparent address (A entry to the router's public IP) > >of the server, right ? > > > >Regards, > > > >Sandipan > > The CN is typically the site name, not IP, .. as such, as long as there is > an on-net IP to establish the session and the IP agrees with the DNS entry > the session can be established. > > The major sticking point is that the NAT box must be setup to: > > 1) Handle an 'inside' server. > 2) Proxy SSL requests on port 443. > > As someone else responded, many of the NAT boxes will do this, .. but I > have seen some that will not. > > Lee > > > Leland V. Lammert[EMAIL PROTECTED] >Chief Scientist Omnitec Corporation >Network/Internet Consultants www.omnitec.net > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Gil Peeters BVBA CANCAS I.T. Willemsstraat 2 3000 Leuven Belgium JAVA and Distributed Object Specialists __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]