RE: [squid-users] client auth with SSL certificate

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 4 Mar 2004 07:45:56 +0100 (CET)

On Thu, 4 Mar 2004, David Hajek wrote:

> Well, it seems that correct session handling in SSL is not easy. It
> seems that 255 sessions are cached for each SSL_CTX by default, even if
> the session_id_context is not set. Thats probably why mozilla
> complaints. So I think we have two options here:

All the version used in development allow caching for far more than 255
sessions, and the documentation says that the session id context is only
required for using offline caching. There is automatic session maintenance
every 255 connections, but as removal is based on expiry not number.

My guess what happens is that the version of Mozilla used blindly assumes
there is a session id context, and as result its session resumption
messages is "odd". To get a better understanding of what Mozilla does
causing it to fail please use ssldump.

> 1/ Disable SSL session caching by calling SSL_CTX_set_session_cache_mode (
> SSL_SESS_CACHE_OFF )

You certainly do not want to focibly disable the session cache as this
cache is required for session resumption. If you disable this there will
be a RSA handshake on each new connection.

Having an option to disable session resumption is good however in
situations where you are short on memory.

> 2/ Enable internal OpenSSL session caching by calling
> SSL_CTX_set_session_id_context().

My understanding is that this is only required when using an external
session cache, which Squid is not.

> But then it seems we have to (manually) add each session to the internal
> OpenSSL cache by calling SSL_CTX_add_session( ).

My understanding is that this should only be required if you also disable
the automatic caching by calling SSL_CTX_set_session_cache_mode.

Which versions of Mozilla and OpenSSL are you using?

Regards
Henrik
Received on Wed Mar 03 2004 - 23:45:59 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:01 MST