On Mon, Jan 15, 2001 at 03:12:14PM -0700, Varga, Jack wrote:
> Testing my understanding here...
>
> Assuming session resumption is enabled on SSL server,
> can a resumed session have a new client source IP and port?
>
> I believe I read somewhere, (EKR), that SSL assumes spoofed
> source info, suggesting as long as...
>
> 1. C and S PreMasterSecrets remain the same
> 2. Client maintains ssl_session_id
> 3. Server does not drop session info
>
> ... a session can be resumed, even if src info (ip:port)
> has changed.
There is not relation whatsoever between the transport channel (TCP, hosts,
ports or whatever) and the TLS protocol (being transported in the channel).
The case you are describing is not uncommon. I have a dialup provider that
will give me a dynamic (and hence changing) IP number whenever build up
a new connection. That does not stop me from re-using my TLS-sessions.
Remark: the default timeout of SSL sessions in OpenSSL and in several
OpenSSL based WWW-servers like mod_ssl is 300s=5min, so you have to switch
your IPs fast :-). My Postfix/TLS extension for the Postfix-MTA defaults
to 3600s=1h, so that this situation occurs more often.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
