Re: [TLS] SSL session caching & lookups

To: Nagendra Modadugu <ngm+ietf at google.com>
Subject: Re: [TLS] SSL session caching & lookups
From: Yoav Nir <ynir at checkpoint.com>
Date: Fri, 1 Feb 2008 11:56:07 +0200
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <28425e380801311830h3b10fc67l34fe006f77ecc400 at mail.gmail.com>
List-archive: <http://www.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <28425e380801311830h3b10fc67l34fe006f77ecc400 at mail.gmail.com>
Sender: tls-bounces at ietf.org

If you have several servers with DNS load balancing, are the sessions  
actually synchronized between the servers?  Can you set up a session  
with server A and then resume it on B?

If the answer is no, then it makes sense to consider server IP. If the  
answer is yes, it doesn't.

I would like to point out two things, however:

1. Trying to resume a session is essentialy non-cost to the client, so  
why not attempt to resume all the time, even if only the DNS name  
matches?

2. Clients tend to cache DNS results, so even if you have DNS load  
balancing, a client will usually go to the same IP address again and  
again. If you have some other kind of load balancing that keeps a  
constant IP address, then you might have this problem.

On Feb 1, 2008, at 4:30 AM, Nagendra Modadugu wrote:

> I'd like to get some implementation advice about a matter that is not
> covered in the spec.
>
> NSS clients currently only attempt to resume a session if the
> following fields match:
> * server IP
> * server Port
> * session ID
> * server hostname
>
> Looking up sessions in this manner means that dns-load-balancing
> breaks SSL resumes.  Is there a case for checking server IP and port?
>
> nagendra
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> http://www.ietf.org/mailman/listinfo/tls
>
> Scanned by Check Point Total Security Gateway.
>

_______________________________________________
TLS mailing list
TLS at ietf.org
http://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] SSL session caching & lookups
  - From: Nagendra Modadugu

Prev by Date: [TLS] SSL session caching & lookups
Next by Date: [TLS] Last look at TLS 1.2
Previous by thread: [TLS] SSL session caching & lookups
Next by thread: Re: [TLS] SSL session caching & lookups
Index(es):
- Date
- Thread

Re: [TLS] SSL session caching & lookups

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.