[3645] in WWW Security List Archive
Re: SSL sessions across stateless http?
daemon@ATHENA.MIT.EDU (Steen Larsen)
Fri Nov 29 11:27:14 1996
Date: Fri, 29 Nov 1996 14:26:27 +0100
From: Steen Larsen <steen.larsen@ed.nce.sita.int>
Reply-To: steen.larsen@ed.nce.sita.int
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Darren Cook wrote:
> >An SSL session is stateful. A session has a session ID which is
> >an arbitrary byte sequence chosen by the server. The session ID
> >is not a crypto key. A session also has a master secret which is
> >the result of a key exchange (RSA, Diffie-Hellman or Fortezza)
> >...
> >to do strange hacks on top of SSL. Now you just have
> >to work out how you can extract the SSL session ID and maybe
> >the SSL connection "server random" on your server script.
> >
> AFAIK, there are only 3 extra environment variables used by SSL:
>
> HTTPS: Set on or off based on whether security is active.
> HTTPS_KEYSIZE: Contains number of bits in key used to encrypt data.
> HTTPS_SECRETKEYSIZE: Contains number of bits in server's private key.
>
> So, does anyone know if it is possible for a cgi program to find out the
> session ID?
I guess it depends on the WWW server. A quick look at the MS IIS 2.0
docs didn't reveal anything. I also had a quick look at the Apache SSL
patches, no session ID either :-( With the Apache patches you at
least have the possibility to modify the sources to add a HTTPS_SID
variable.
Does anybody know an SSL WWW server that reveals the SSL session ID
to CGI scripts?
Best regards
Steen
--
Steen Koefoed Larsen <steen.larsen@ed.nce.sita.int>
Disclaimer: This letter may contain pure garbage that differs
from the opinion of myself and the companies I work for.
SITA -- Societe Internationale de Telecommunications Aeronautiqes
R & D Nice, Heraklion - 1041 Route des Dolines, F-06560 Valbonne
Phone: +33 4 92.96.63.67, Fax: +33 4 92.96.64.92, SITATEX: NCEEMXS
E-mail@home: steenkl@dircon.co.uk, GSM Mobile: +45 40512486
*** Syntax? Why not - they tax everything else! ***
