On 20/06/2022 22:29, Rouzier, James wrote:
Hi Matt, What would it take to expose this?
At the moment you can serialize an SSL_SESSION object - but this only helps during session resumption. So, using this capability, you could perform a resumption handshake on a different server to where the initial handshake occurred.
What you are talking about is moving an in-progress TLS connection from one server to another. This would require the whole SSL object to be serialized (or at least potentially we could get away with only certain fields - that would need to be investigated).
Also would you accept a patch if we implement what’s missing?
In principle we would look at such a patch. However in practice my expectation is that this would be quite an invasive and extensive patch. It would be quite difficult to do and there are lots of moving parts in this area at the moment (for example consider PRs 18612 and 18132 which are doing some significant refactoring in libssl that will affect the layout and contents of the SSL object). I would not recommend implementing such a feature at the current time - I expect there to be further significant rework and updates going into libssl over the coming months.
Any such feature would only be accepted into the master branch (i.e. we wouldn't backport it to 3.0 or 1.1.1). Depending on the scale and how invasive it is, we might want to defer introducing something like that until the next major release.
Matt
Thank You James On 6/20/22, 10:13 AM, "Matt Caswell" <matt@xxxxxxxxxxx> wrote: On 20/06/2022 15:11, Rouzier, James via openssl-users wrote: > Hey Guys, > > Is it possible to serialize/deserialize an ongoing TLS session in any way? > > We are trying to create a stateless RADIUS server. > Where we place multiple RADIUS servers behind a UDP loader balancer. > Each part of EAP-TLS process could hit a different server. > The plan is to save the current state of the TLS handshake so that any > server can pickup where the previous server left off. > Is this possible with the current API of openssl? No. This currently not possible. Matt