> On 10 Aug 2023, at 10:49 am, Tomas Mraz <tomas@xxxxxxxxxxx> wrote: > > I assume, if these server processes work in sequence, i.e. one does its > work and only then it hands over the processing to the second process > it should be possible to do it actually. > > You would use two separate SSL connections over the same socket - that > is possible. You could also use the SSL_SESSION object from the first > SSL connection within the second process to avoid another full > handshake as SSL_SESSIONs can be serialized. Or derive an explicit (non-resumption) PSK over the first connection, and require its use in the second. A sort of authenticated mandatory resumption that "channel-binds" the two handshakes. > The first SSL connection must be cleanly terminated by the client/first > server before you can proceed establishing the second SSL connection. Right, and the underlying second can be moved via file-descriptor passing after the full two-way TLS shutdown. Without channel binding the two SSL handshakes, in principle an MiTM could take over the TCP connection right after the bidectional shutdown, and perform a handshake that "takes over" the rest of the communication. The second SSL handshake still needs some sort of authentication or channel-binding. Of course this does mean that the client has to expect and participate in the connection transfer. -- Viktor.
