Re: [TLS] Questions about TLS Server Name Indication extension

To: nelson at bolyard.me, tls at ietf.org
Subject: Re: [TLS] Questions about TLS Server Name Indication extension
From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
Date: Thu, 29 Oct 2009 18:58:10 +1300
Cc: Alexei.Volkov at Sun.COM
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AE880CA.3060902 at bolyard.me>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: pgut001 <pgut001 at wintermute01.cs.auckland.ac.nz>

Nelson B Bolyard <nelson at bolyard.me> writes:

>In the context of a physical server acting as multiple virtual server, is the
>space of session IDs coming from that server a single space that encompasses
>all the sessions for all the virtual servers served by that physical server?
>Or does each virtual server have its own separate space?
>
>If each virtual server has its own separate session ID space, then when
>attempting to "resume" or "restart" a TLS session, the client hello MUST bear
>an SNI extension to inform the physical server which virtual server's session
>ID space contains the given session ID, and each virtual server potentially
>has its own separate session store/cache.
>
>OTOH, if there is a single session ID space for the entire physical server
>covering all the virtual servers, then each cached session must record and
>identify the virtual server with which it is associated.

Ah, I see what you mean now.  Well in general I don't think it's going to be
an issue, the session ID is a 32-byte blob so it's up to the server what it
puts in there, it can include a virtual server ID, cache ID, whatever it wants
in any format it requires.  In other words if the server wants to encode
configuration- or server architecture-specific details in the session ID then
the form and type is up to the server, you don't need an explicit SNI for
this, particularly since the free-form blob accomodates much more than just
the virtual server : cache ID pair that the SNI + session ID handles.

Peter.

References:
- Re: [TLS] Questions about TLS Server Name Indication extension
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] Questions about TLS Server Name Indication extension
Next by Date: [TLS] Server Signature Algorithms
Previous by thread: Re: [TLS] Requiring SNI for resumption (was Questions about TLS Server Name Indication extension)
Next by thread: Re: [TLS] Multiple Session Caches and SNI (was Questions about TLS Server Name Indication extension)
Index(es):
- Date
- Thread

Re: [TLS] Questions about TLS Server Name Indication extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.