Dear Victor,
On Mon, Aug 14, 2023 at 5:52 PM Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Thu, Aug 10, 2023 at 03:56:31PM +0000, Mohammad Zolfaghari wrote:
> Openssl documentation explicitly says "SSL_set_session() is only
> useful for TLS/SSL clients" while we are transferring the session on
> the server side from one process to the another. Do you still think
> that using the session on the server side can prevent us from
> duplicating the key agreement phase?
The above is not very clear, but I'm guessing you're talking about TLS
session resumption across processes. Yes, this possible, by
implementing external session cache callbacks (as e.g. in Postfix where
multiple SMTP server processes consult a common session cache maintained
by the tlsmgr(8) helper process).
This requires the client to perform a second handshake, either over a
new connection, or after performing a two-way TLS shutdown on the
existing socket, and starting a fresh handshake, with, presumably at
that point, the second server process.
Note that in TLS 1.3 session resumption still in practice performs a DH
key exchange in most cases, you just get to avoid signing the key
exchange. You can, in principle arrange to configure only psk_ke (and
not psk_dhe_ke) on both ends, and then get a resumption without the cost
of a fresh DH key exchange, but this only works with coöperating
clients. Importantly, *all* clients then need to be happy to do psk_ke,
or else you get handshake failures.
You're wading into the deep end of the pool, perhaps you should stick
with more simple solutions.
If it is the project I am thinking about (https://github.com/pgbouncer/pgbouncer/pull/894), it's not the case. The idea is that we have a long process on the server side that would be terminated in case of dropping the connection.
I believe that the proper solution is altering the server so the transaction here will be in the background and reconnection with some extra id of transaction will allow some sort of attaching to the process, but it also is not so simple.
SY, Dmitry Belyavsky