[3641] in WWW Security List Archive
Re: SSL sessions across stateless http?
daemon@ATHENA.MIT.EDU (Darren Cook)
Thu Nov 28 08:30:58 1996
To: www-security@ns2.rutgers.edu
From: darren@factcomm.co.jp (Darren Cook)
Date: Thu, 28 Nov 1996 19:16:07 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
>An SSL session is stateful. A session has a session ID which is
>an arbitrary byte sequence chosen by the server. The session ID
>is not a crypto key. A session also has a master secret which is
>the result of a key exchange (RSA, Diffie-Hellman or Fortezza)
>...
>to do strange hacks on top of SSL. Now you just have
>to work out how you can extract the SSL session ID and maybe
>the SSL connection "server random" on your server script.
>
AFAIK, there are only 3 extra environment variables used by SSL:
HTTPS: Set on or off based on whether security is active.
HTTPS_KEYSIZE: Contains number of bits in key used to encrypt data.
HTTPS_SECRETKEYSIZE: Contains number of bits in server's private key.
So, does anyone know if it is possible for a cgi program to find out the
session ID?
Darren
(I'm new to this list - be gentle with me :-).
