On 22/11/2018 11:15, Filipe Fernandes wrote: >> You seem to be confused, and have not explained your requirements >> clearly. What is your *goal*? > > My goal is to have the Openssl to "perform the TLS Resumption (initiated by the > Hello Request message from the server or > the Client Hello message from the client), in an ongoing TLS Session." (it's > specifically stated on the spec, like this). I think you need to get this spec clarified. It makes no sense. It seems to be describing renegotiation, but uses the term resumption for it which has a different meaning. A handshake occurs between a client and a server at the start of a connection and establishes the cryptographic parameters to be used for that connection (including certificates/keys etc). Resumption refers to a type of handshake. Resumptions handshakes are abbreviated forms of a full handshake. They are based on the parameters established during a previous connection. So for example a certificate is not exchanged because the same cert is used from the previous connection. Renegotiation refers to the process of starting a new handshake over an existing TLS connection between a client and a server. Typically the objective is usually either to update the keys, or to request a client certificate. Like any other handshake it may be a full one or a resumption one. Only a client can ever initiate a handshake. A server can *request* a renegotiation by sending a HelloRequest message, but the client does not have to honour it. A server cannot request a resumption. > >> What does "always on" mean to you? > > Always on, means that the socket connection is up for as long as it is possible, > meaning that the socket is not closed and it keeps exchanging information all > the time (server<->client) Resumption does not give you this. Renegotiation does. > >> Only clients can resume previous >> sessions, when reconnecting to a server. Is that what you're trying >> to do? (Implement a server with a session cache for client resumption? > > I'm developing the server side with OpenSSL 1.0.2. And it supports cache (I've > activated it on the method SSL_CTX_set_session_cache_mode). > >> Support session tickets? Is there just one server or a server "farm"? >> Do the clients support resumption?) > > There's only 1 server, not a farm. > > How can I tell if the client supports resumption? > > >> Or are you trying to periodically rekey a long-running connection? > > Maybe this is it. > > For me, Renegotiation is request "everything" (new pubkey, certificates, etc) A renegotiation is a new handshake over an existing connection. It may use a full handshake (certificates exchanged etc), or an abbreviated resumption handshake (e.g. doesn't exchange certificates again). Only the client gets to decide whether to attempt a resumption. > Resumption, is just to refresh the keys? I'm a little confused here. No. Resumption is an abbreviated handshake. It may be used at the start of a new connection or as part of a renegotiation handshake. In either case it is abbreviated because it is based on the parameters established during an earlier connection. Matt > >> >> Or something else? > > I think this is it :) > > > On Wed, 21 Nov 2018 at 23:12, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx > <mailto:openssl-users@xxxxxxxxxxxx>> wrote: > > On Wed, Nov 21, 2018 at 05:45:19PM +0000, Filipe Fernandes wrote: > > > I've followed your example, and it looks like the server is doing what it's > > supposed to, however, I'm getting a disconnect from the server when the > > session expires. Which should not happen, and I can't seem to find a reason > > for this to be happening. > > > > As previously said, I'm developing a server that handles always-on TLS > > connections, and I'm trying to perform a session resumption. > > I thought you wanted renegotiation, not resumption, servers can't > do "resumption", because resumption is what you do to avoid a full > handshake on a *new* connection, and only the client can reconnect. > > You seem to be confused, and have not explained your requirements > clearly. What is your *goal*? > > What does "always on" mean to you? Only clients can resume previous > sessions, when reconnecting to a server. Is that what you're trying > to do? (Implement a server with a session cache for client resumption? > Support session tickets? Is there just one server or a server "farm"? > Do the clients support resumption?) > > Or are you trying to periodically rekey a long-running connection? > > Or something else? > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
