"Varga, Jack" <[EMAIL PROTECTED]> writes:
> Is the session_id resident in each ssl application
> data packet or just in the handshake packets? If so,
> is it always in the clear (i.e., not encrypted?
No, it's only in the ServerHello and (if resumption is being used) in
the ClientHello. However, you can't count on it being in the
ClientHello because if the server rejects the resumed session then the
ServerHello will contain the new session ID and it won't match the one
in the ClientHello.
In general the session ID won't be encrypted. The one exception is if
you're renegotiating over an existing connection (e.g. if the server
sends a HelloRequest then the entire handshake will be encrypted).
-Ekr
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
