SSL re-usage is either ID or Ticket base. In this example I will show you have to save the "Session-ID" and cal it back using openssl and s_client function.
1st you have to understand the Session-ID is a unique ID & establish by the server and client during the SSL/TLS hello.
In this example, I'm building a save session-id file for google website by using the sess_out option
In this next example, I'm calling up a saved Session-ID from a file for the website www.wwt.com and running it thru a loop. If the server honors the Session-ID it will be used thru-out the TLS setup and will not change.
So in this example the session-ID is being honored and used during out future sessions.
The save Session-ID file contains data similar to the below
If session reuse was not honored, each newly established session will contain a new-session-ID
You can use the s_time function with openssl to validate performance.
Notes;
- Session reuse can decrease the TLS setup time
- allow for more connections in a give period
- reduce Server CPU computations by reducing the number of steps in the SSL handshakes
- Session reuse can compromise forward_secrecy
- With Session-ID this ID is cache at the server
- Session-Tickets are stored on the client
- In regards to #6, if the session-id are compromised, a attacker can potential hijack a session by knowing the Session-ID
- By doing any of the following 1> reduce the cache size or 2> cache-lifetime, you can reduce item#7 from above
review one of my previous posting about ssl flooding without actually touch the application layer
http://socpuppet.blogspot.com/2013/04/ssl-negotiation-flooder-via-curl.html
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment