[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] SSL session caching & lookups

To: Nagendra Modadugu <ngm+ietf@xxxxxxxxxx>
Subject: Re: [TLS] SSL session caching & lookups
From: Yoav Nir <ynir@xxxxxxxxxxxxxx>
Date: Fri, 1 Feb 2008 11:56:07 +0200
Cc: tls@xxxxxxxx
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <28425e380801311830h3b10fc67l34fe006f77ecc400@xxxxxxxxxxxxxx>
List-archive: <http://www.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <28425e380801311830h3b10fc67l34fe006f77ecc400@xxxxxxxxxxxxxx>
Sender: tls-bounces@xxxxxxxx

If you have several servers with DNS load balancing, are the sessions  
actually synchronized between the servers?  Can you set up a session  
with server A and then resume it on B?

If the answer is no, then it makes sense to consider server IP. If the  
answer is yes, it doesn't.

I would like to point out two things, however:

1. Trying to resume a session is essentialy non-cost to the client, so  
why not attempt to resume all the time, even if only the DNS name  
matches?

2. Clients tend to cache DNS results, so even if you have DNS load  
balancing, a client will usually go to the same IP address again and  
again. If you have some other kind of load balancing that keeps a  
constant IP address, then you might have this problem.

On Feb 1, 2008, at 4:30 AM, Nagendra Modadugu wrote:

> I'd like to get some implementation advice about a matter that is not
> covered in the spec.
>
> NSS clients currently only attempt to resume a session if the
> following fields match:
> * server IP
> * server Port
> * session ID
> * server hostname
>
> Looking up sessions in this manner means that dns-load-balancing
> breaks SSL resumes.  Is there a case for checking server IP and port?
>
> nagendra
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxx
> http://www.ietf.org/mailman/listinfo/tls
>
> Scanned by Check Point Total Security Gateway.
>

_______________________________________________
TLS mailing list
TLS@xxxxxxxx
http://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] SSL session caching & lookups
  - From: Nagendra Modadugu

Prev by Date: [TLS] SSL session caching & lookups
Previous by thread: [TLS] SSL session caching & lookups
Index(es):
- Date
- Thread