Thank you for such a quick reply. I agree that VPN sessions and SSL sessions are not necessarily the same. Let me be more specific with my question for a better discussion.
In an active OpenVPN session, at regular intervals, a full SSL handshake takes place (because the SSL session expires). I checked this by capturing packets with "openvpn && ssl" filter. In my implementation I don't want those regular full SSL negotiations to take place. It should ideally check if the SSL session key or the session context is present in the cache (or some storage place), and if it is present, then full handshake should NOT take place. Instead an abbreviated handshake should take place which happens during TLS session resumption. I am looking for changes in the code that can be made to do this task (as minimal as possible). I understand the use of SSL_OP_NO_TICKET by OpenVPN against the triple handshake vulnerability, but my project is really specific and wants some specific functionality, which includes Session Resumptions. Thanks On Fri, Feb 19, 2016 at 7:10 PM, Arne Schwabe <a...@rfc2549.org> wrote: > > > Am 19.02.16 um 14:32 schrieb Shubham Chauhan: > > Hello, > > > > I am currently working on a project that requires SSL VPN to use > > session resumptions. > > > > I need to add the TLS Session Resumption functionality to OpenVPN. Any > > starters as in how I could achieve this? > > I know about the SSL_OP_NO_TICKET flag added to disable the resumption > > process. Will deleting it from the code enable SSL resumption > > automatically? > > > VPN session and SSL session are not necessarily the same. You can > restablish a VPN session with a new TLS session. > > I think OpenVPN will still insist on a full authentication in a new > session, even with SSL_OP_NO_TICKET removed. I would have to the check > the code myself to be sure. > > Arne > -- Regards Shubham Chauhan 2013099 B.Tech CSE
