[racket] OpenSSL: server-side session caching?
On Tue, Dec 23, 2014 at 8:23 PM, Ryan Culpepper <ryanc at ccs.neu.edu> wrote:
> On Dec 23, 2014, at 5:21 AM, Snyder Pearson <aranhoide at getlantern.org>
> wrote:
>
> > I can't see any way to control either client or server-side SSL/TLS
> session caching using Racket's openssl bindings. I don't really need such
> control as long as the server-side part of it works as (IIUC) OpenSSL does
> by default, that is, each server-side SSL context contains a session cache
> that is populated and used as long as the client side shuts down their SSL
> sessions properly.
> >
> > Is this understanding correct? Either way, do Racket's openssl bindings
> work like this?
>
> I’m going off of fuzzy memories, but I think it will not work by default
> because Racket closes SSL connections without sending the shutdown message,
> and that’s supposed to invalidate the session. (Because it could indicate
> that an attacker truncated communication before, say, a ChangeCipherSpec
> message or something similar.)
>
Thanks! While that's indeed Racket's default behavior, you can override
that via the #:shutdown-on-close? parameter of ports->ssl-ports [1]. Also,
that only applies to Racket servers talking to clients that also use (the
openssl bindings of) Racket, or which otherwise don't send shutdown
messages.
So let me slightly reformulate my question: does a Racket TLS server do
session caching, provided that clients send shutdown messages appropriately
when closing their connections? Or is there anything in the implementation
of Racket's openssl bindings that inhibits OpenSSL's default caching
behavior?
[1] Thanks again to Matthew Flatt for very helpfully pointing this to me
recently-- and for your amazing work on Racket.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/users/archive/attachments/20141226/cbc3e158/attachment.html>