[3656] in WWW Security List Archive
Re: SSL sessions across stateless http?
daemon@ATHENA.MIT.EDU (Roberto Galoppini)
Mon Dec 2 13:18:28 1996
Date: Mon, 02 Dec 1996 16:41:56 +0100
From: Roberto Galoppini <rgaloppini@tim.it>
Reply-To: rgaloppini@tim.it
To: steen.larsen@ed.nce.sita.int
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Steen Larsen wrote:
<snip>
> (Note: My comments are based on the March draft of The SSL Protocol,
> Version 3.0 - newer versions are available.
> Chapter 7.1 on page 10 talks about session and state)
>
> An SSL session is stateful. A session has a session ID which is
> an arbitrary byte sequence chosen by the server. The session ID
> is not a crypto key. A session also has a master secret which is
> the result of a key exchange (RSA, Diffie-Hellman or Fortezza)
>
> This was the session, for each session there may be several
> connections.
As far as I could see session id is sorted out when the two parties
exchange certificates that they then use to encrypt messages. As
somebody else wrote "it's really just a performance thing"
and it can be renogotiated at any time (I ended up to read SSL spec
right now, but expert like Bellovin confirmed it).
BTW, does anybody know where to get a doc about "differences between SSL
v2 and v3" ?
Roberto Galoppini
rgaloppini@tim.it
"no doubt, no knowledge"
