On Sun, Nov 21, 2004 at 04:03:20PM +0200, victor sherbinin wrote:
> >
> > I'm wondering whether generation of SSL session ID has to be based on
> > random numbers. In my system, it would be more comfortable for me to
> > generate a sequentially incrementing 64-bit or 128-bit session ID, with
> > some constant padding. Does this violate the security of SSL in any way?
No, it does not violate security. In fact, as of OpenSSL 0.9.7 an API
has been introduced to allow the application (server side) to choose
the session ID:
man SSL_CTX_set_generate_session_id
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
