How to resume an SSL-Session with SSLStream

  • Thread starter Thread starter Azrael
  • Start date Start date
A

Azrael

Hi,

I have an SSLStream and i want to resume the SSL-Session for another
connection to this server. How can i do this? I haven´t found any clues
for it in SSLStream, perhaps Negotiatestream could provide me something
but i can´t find any examples for it.
I´d appreciate any help or clues that would bring me any further.


Thanks in advance.
Azrael
 
I cant remember the specifics of this, but SSL session reuse is enabled by
default in the framework for active or failed SSLStreams - but only if the
remote server supports it and the request for session reuse occurs within
the time boundaries set by the remote server.

On IIS I think you still have to set the servercachetime value for this to
work and it depends on the operating system hosting the webserver, but I
could be very wrong. You'd get a better answert in one of the IIS groups
(assuming your connecting to an IIS server). Perhaps a fish about for
servercachetime on one of the search engines would help you.
 
John said:
I cant remember the specifics of this, but SSL session reuse is enabled by
default in the framework for active or failed SSLStreams - but only if the
remote server supports it and the request for session reuse occurs within
the time boundaries set by the remote server.

On IIS I think you still have to set the servercachetime value for this to
work and it depends on the operating system hosting the webserver, but I
could be very wrong. You'd get a better answert in one of the IIS groups
(assuming your connecting to an IIS server). Perhaps a fish about for
servercachetime on one of the search engines would help you.
Click to expand...

I don´t reuse an ssl-session but i connect to an ftp-server and while
being connected to him i have to use the same ssl-session for the
data-connection. Tried now to use that cache by connecting to the same
server with a new instance of the SSLStream but no connection got
established. I will have to explicitly let him reuse the already
established SSLSession.
 
What I was trying to say is that the framework will always try and reuse an
ssl-session - if your ftp server doesn't support session caching then it
wont allow you to reuse the same session under any circumstances.

Pretty sure you cannot use the cache with a new instance of a stream as the
ssl protocol would see this as a session hijack attempt, and as I said you
could only use an established ssl-session if the remote server is set for
ssl-caching otherwise a new session will be established.
 
John said:
What I was trying to say is that the framework will always try and reuse an
ssl-session - if your ftp server doesn't support session caching then it
wont allow you to reuse the same session under any circumstances.

Pretty sure you cannot use the cache with a new instance of a stream as the
ssl protocol would see this as a session hijack attempt, and as I said you
could only use an established ssl-session if the remote server is set for
ssl-caching otherwise a new session will be established.
Click to expand...
The remote server is not only set for ssl-caching but he requests a
cached ssl-session for the data-connection. Otherwise the connection
doesn´t get established. This is defined in RFC4217 at 10.2.

This is the normal flow:
Connect to ftp server
Send "Auth tls"
set up initial SSL-Session for control-connection
Login
send "Prot p" <--- for requesting encrypted data-connnection
send "pasv"
list/request file or sth else that needs a data-connection
connect to the server and use the SSL-Session of the control-connection.
The server doesn´t accept anything else beside the control-ssl-session.

I don´t think i can rely onto the ssl-cache of my local framework but i
have to explicitly tell him to resume that the control-ssl-session.
 
Hi,

I was told real-names were desired in the newsgroups here, so i changed
my name now.

Greets
Roland Peters
 
John said:
Why dont you drop an email to someone in the.net remoting team. They will
be able to answer your question for you, if your lucky they just might be
able to tell you where its going wrong assuming you can get someone to
answer you.

http://blogs.msdn.com/dotnetremoting/

http://blogs.msdn.com/mahjayar/contact.aspx
Click to expand...
Thank you for the hint. I dropped an email each but till now i didn´t
get any reaction. What is the average time-spawn for an answer or don´t
they respond to every question?

Roland Peters
 
Back
Top