Friday, February 2, 2018

Validate TLS session-ID reuse

With TLS,  we have the ability to  reuse session-ID aka know as ssl-session resumption.

SSL re-usage is either ID or  Ticket base. In this example I will show you have to save  the "Session-ID" and cal it back using openssl and s_client  function.

1st you have to understand the Session-ID is a unique ID & establish by the server and client during  the SSL/TLS hello.

In this example, I'm building a save session-id file for google website by using the sess_out option




In this next example, I'm calling up  a saved Session-ID from  a file for the website  www.wwt.com and running it thru a loop. If the  server honors the  Session-ID it will be used thru-out the TLS setup and will not change.



So in this example the session-ID is  being honored and used during out future sessions.


The save Session-ID file contains data similar to the below



If session reuse was not honored, each newly established session will contain a new-session-ID

You can use the s_time function with   openssl to validate performance.


Notes;

  1. Session reuse  can decrease the  TLS  setup time
  2. allow for more connections in a give period
  3. reduce Server CPU computations by reducing the number of steps in the SSL handshakes
  4. Session reuse  can compromise  forward_secrecy  
  5. With Session-ID this ID is cache at the server
  6. Session-Tickets are stored on the client
  7. In regards to #6, if the session-id are compromised, a attacker can potential hijack a session by knowing  the Session-ID
  8. By doing any of the following 1> reduce the cache size or 2> cache-lifetime, you  can reduce  item#7 from above

review  one of my   previous posting about ssl flooding without actually  touch the application layer

http://socpuppet.blogspot.com/2013/04/ssl-negotiation-flooder-via-curl.html



Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \