cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: How do I enforce a new SSL Session ID at each connectionestablishment?

From: Lewthwaite, Robert \(Contractor\) <robert.lewthwaite-eds_at_eds.com>
Date: Mon, 10 Jul 2006 09:25:00 +1000

I am creating a service for a banking application. The service may be running for weeks. If the same session id is used for the whole period does this not make the ssl traffic more susceptible to being cracked by someone sniffing the traffic?
 
I thought that it is likely, so was planning to allow re-use of the session-id for a configurable number of times (to speed up the ssl negotiation times) and then force a new session to be generated. i.e. only allow session-id re-use 10 times then generate another session-id and take the performance hit.
 
What do you suggest?
 
Regards
Rob Lewthwaite
EDS - AusADU
(07) 3024 4119

________________________________

From: curl-library-bounces_at_cool.haxx.se on behalf of Daniel Stenberg
Sent: Fri 07-Jul-06 5:48 PM
To: libcurl development
Subject: Re: How do I enforce a new SSL Session ID at each connectionestablishment?

On Thu, 6 Jul 2006, Lewthwaite, Robert (Contractor) wrote:

> Will curl_easy_setopt(g_curl, CURLOPT_FORBID_REUSE, TRUE); achieve this or
> is there something else required.

No, the reuse in this context is for connections not session ID. There's in
fact no option to libcurl to avoid using a Session ID. Until now, nobody ever
asked for it and I still don't actually understand why you want to avoid it.

> I am writing a service client which sits in memory and takes requests to
> send and receive data via HTTPS and I wish to be able to configure it to
> reuse the SSL session id or create a new one each time it connects.

Then you need to add such an option to libcurl.

> It is not allowed to keep the connection open once the response has been
> processed.

Well, the connection of course have to get closed for the session id to be
re-used.

> If reusing the SSL session id is percieved as a risk I have to be able to
> disable it.

"If" being the keyword here. Who considers it to be a risk and why?

--
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html

Received on 2006-07-10