|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Peter Conrad (conrad_at_tivano.de)
Date: Fri Jul 26 2002 - 02:28:12 CDT
Hi,
On Thu, Jul 25, 2002 at 05:33:04PM -0400, Kevin Spett wrote:
> It's a really interesting idea, and it is a damn shame that the cookie
> spec wasn't drawn up with the idea of PKI negotiation, but ultimately I
> don't think it's possible to pull off. There are no webservers that I know
> of (including Apache with mod_ssl) that have an API to expose that
> information to software on higher levels.
A loooong time ago I wrote a plugin for the old netscape enterprise server
that forwarded SSL certificate information to a higher-level application
(LiveWire, I believe - yuck!). So it is possible, at least in some cases.
But, as others have pointed out, SSL session IDs are not persistent enough.
And while I'd like to blame MS for this 'bug' I must admit that the SSL
spec does not require to resume previously established SSL sessions in
the next handshake, so actually this is not a bug at all.
Thinking about it it even makes sense: in SSL you use client certificates
for authentication. SSL session IDs are merely useful to prevent some
expensive computation from being repeated over and over again...
Bye,
Peter
-- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 63263 Neu-Isenburg
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]