[5116] in cryptography@c2.net mail archive
Re: Clear Session ID in SSLV3
daemon@ATHENA.MIT.EDU (Eric Young)
Fri Jul 16 11:52:23 1999
Date: Fri, 16 Jul 1999 18:09:21 +1000
From: Eric Young <eay@pobox.com>
To: "Marcus J. Ranum" <mjr@nfr.net>
Cc: cryptography@c2.net
"Marcus J. Ranum" wrote:
>
> Does anyone have a pointer to why the session ID in SSLV3 is
> in the clear, rather than encrypted? I'm sure there's a good
> reason for it (audit? logging? other...?) but I'm trying to
> pin down exactly why it was done that way. Can anyone point
> me in the right direction?
Because it is sent in the first message from the client
to the server. It is intended to short circuit the
SSL protocol handshake and reduce the number of messages
exchanged.
Since the client and server don't have a known shared secret yet,
we cannot encrypt the session-id.
eric
