There are two levels to think about. One is, perhaps HTTP 1.1 is keeping
the connection alive, so multiple requests can go through the same SSL
socket connection.

The other is, SSL has a Session Resumption mechanism. From page 96 of "SSL
and TLS: Designing and Building Secure Systems" by Eric Rescorla:
"... If the client and server have already communicated once, they can
short-circuit the full handshake and proceed directly to data transfer.
  The most expensive part of the handshake is the establishment of the
pre_master_secret, which usually (except in the case of Kerberos) requires
public key cryptography. A resumed handshake allows a new connection to use
a master_secret established in a previous handshake. This avoids the
computationally expensive operations required by public key cryptography."

This book is da bomb for SSL, as is the ssldump tool at
http://www.rtfm.com/ssldump.

BTW, hopefully when you said http://myhost.net/buy.html you really meant
https://myhost.net/buy.html...

Phil

> -----Original Message-----
> From: RAGHAVENDRAN H. (SSG) - CTD, Chennai.
> [mailto:raghavhctd.hcltech.com]
> Sent: Friday, November 09, 2001 12:37 AM
> To: webappsecsecurityfocus.com
> Subject: SSL Question
>
>
> Hi All:
>
> I don't know if this is the right forum to ask this question but here
> goes...
>
>
> The question I have is that when we establish an SSL session
> with a site
> (say https://myhost.net), SSL protocol somes into play (the
> handshake and
> record part of it). However, if I subsequently traverse other webpages
> within the same site (for e.g. http://myhost.net/buy.html,
> http://myhost.net/products/camera.html etc.) will SSL
> negotiations happen
> each time for each page? In other words, within the same
> site, will the SSL
> negotation happen once or for each SSL-protected page that
> I'm viewing.
>
> Any feedback is greatly appreciated.
>
> Thanks and Regards,
> Raghav
>
> **************************************************************
> **************
> **********************************************
> Disclaimer:
>
> This document is intended for transmission to the named
> recipient only. If
> you are not that person, you should note that legal rights
> reside in this
> document and you are not authorized to access, read,
> disclose, copy, use or
> otherwise deal with it and any such actions are prohibited and may be
> unlawful. The views expressed in this document are not
> necessarily those of
> HCL Technologies Ltd. Notice is hereby given that no representation,
> contract or other binding obligation shall be created by this
> e-mail, which
> must be interpreted accordingly. Any representations,
> contractual rights or
> obligations shall be separately communicated in writing and
> signed in the
> original by a duly authorized officer of the relevant company.
>
> **************************************************************
> **************
> **********************************************
>
>
> **************************************************************
> *********
> Disclaimer:
> This document is intended for transmission to the named
> recipient only. If
> you are not that person, you should note that legal rights
> reside in this
> document and you are not authorized to access, read,
> disclose, copy, use or
> otherwise deal with it and any such actions are prohibited and may be
> unlawful. The views expressed in this document are not
> necessarily those of
> HCL Technologies Ltd. Notice is hereby given that no representation,
> contract or other binding obligation shall be created by this
> e-mail, which
> must be interpreted accordingly. Any representations,
> contractual rights or
> obligations shall be separately communicated in writing and
> signed in the
> original by a duly authorized officer of the relevant company.
> **************************************************************
> *********
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]