cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: How do I enforce a new SSL Session ID at each connectionestablishment?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 11 Jul 2006 19:57:39 +0200 (CEST)

On Mon, 10 Jul 2006, Lewthwaite, Robert (Contractor) wrote:

> I am creating a service for a banking application. The service may be
> running for weeks. If the same session id is used for the whole period does
> this not make the ssl traffic more susceptible to being cracked by someone
> sniffing the traffic?

I guess, but it is the job of the server to not allow session (ids) longer
than a certain amount of time. Some texts I read on the topic says they
typically allow "a day".

> I thought that it is likely, so was planning to allow re-use of the
> session-id for a configurable number of times (to speed up the ssl
> negotiation times) and then force a new session to be generated. i.e. only
> allow session-id re-use 10 times then generate another session-id and take
> the performance hit.

If you want to do that, you need to add an option to allow libcurl to avoid
using the session id.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2006-07-11