SSL session caching with LWP and Crypt::SSLeay

milzniff has asked for the wisdom of the Perl Monks concerning the following question:

Has anyone messed around with an SSL v3 feature known as "ssl session caching" while building/using perl web clients?

I'm curious as to the following:

how to determine and set the ssl session id

how to retain and use the session id across multiple http client "hits" in a stateless environment

if there is anything else besides the id itself that would need to be set.

thanks

-miff

Comment on SSL session caching with LWP and Crypt::SSLeay

Replies are listed 'Best First'.
Re: SSL session caching with LWP and Crypt::SSLeay by arabella (Acolyte) on Sep 05, 2001 at 09:32 UTC
I originally came across this question while I was trying to set up SSL session resumption. I thought I would share the results of my investigation. Bottom Line: SSL Session resumption should be possible using Perl but isn't! Using the C OpenSSL library you would typically: open the first SSL connection save the session details using SSL_get_session before closing the connection use SSL_set_session when initialising the next SSL connection Crypt::SSLeay doesn't implement the SSL_get/set_session function so session resumption is not possible. Net::SSLeay implements both functions. However Net::SSLeay doesn't implement SSL_shutdown and relies on the socket-level shutdown routine. This leads to a 'premature close' on the link. The standards forbid resuming a session which was closed prematurely (although I've heard some implementations allow it). If you find a way please let me know. The SSL_SESSION structure contains all that is required to resume the session. This includes the Session_ID, the Cipher spec, and the Master_key. Only the Session_ID is sent during session resumption. The Master_key is used to reset the symmetric encryption key for the session while the Cipher specifies which encryption method is to be used.	[reply]

Replies are listed 'Best First'.

Re: SSL session caching with LWP and Crypt::SSLeay
by arabella (Acolyte) on Sep 05, 2001 at 09:32 UTC

Bottom Line: SSL Session resumption should be possible using Perl but isn't!

Using the C OpenSSL library you would typically:

open the first SSL connection
save the session details using SSL_get_session before closing the connection
use SSL_set_session when initialising the next SSL connection

Crypt::SSLeay doesn't implement the SSL_get/set_session function so session resumption is not possible.

Net::SSLeay implements both functions. However Net::SSLeay doesn't implement SSL_shutdown and relies on the socket-level shutdown routine. This leads to a 'premature close' on the link. The standards forbid resuming a session which was closed prematurely (although I've heard some implementations allow it).

If you find a way please let me know.

[reply]