Pete Chown <[EMAIL PROTECTED]> on 08/09/99 11:37:50
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: (bcc: Paul V Ford-Hutchinson/UK/IBM)
Subject: Re: Current location of SSL FTP client/server
Holger Reif wrote:
>> Volker Wiegand schrieb:
>> > Q1: Is the SSLftp-0.13.tar.gz package from the SSLeay mirrors still the
>> > right thing to use?
>>
>> AFAIK there is no "oficial way" for adding TLS to FTP.
>There is an expired Internet draft that describes this; see:
>http://www.consensus.com/ietf-tls/ietf-tls-home.html
>
>I think the problem is that it really isn't very pretty because you have
>to negotiate TLS separately for each socket involved in the FTP
>session. In a sense I suppose this is a weakness of TLS. One key
>negotiation ought to secure a complete session -- possibly including
>several sockets -- rather than just a single socket as at present.
>
>(This would also speed up https things a lot because you wouldn't have
>to do a public key step for every HTTP connection opened.)
As noted before - this draft is on version 04 and soon to be resubmitted as 05.
To quote from the draft (v 04)..
"
It is quite reasonable for the server to insist that the data
connection uses a TLS cached session. This might be a cache of a
previous data connection or of the control connection. If this is
the reason for the the refusal to allow the data transfer then the
522 reply should indicate this.
Note: this has an important impact on client design, but allows
servers to minimise the cycles used during TLS negotiation by
refusing to perform a full negotiation with a previously
authenticated client.
"
Now, I lost track of the ins and outs of TLS about 2 years ago, but I have
a sneaky feeling that some new session caching stuff makes this quite hard.
I think the session key changes per session, based on some computation of the
master secret. - Is my memory broken or is there something like that in TLS ??
Cheers,
Paul
--
Paul Ford-Hutchinson : EMEA eCommerce application security :
[EMAIL PROTECTED]
OSU-1, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5YR +44 (0)1926 462005
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
