Access to cipher_id of sessions from external cache?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Access to cipher_id of sessions from external cache?

Victor Duchovni

I am looking for a portable way to compare the cipher of a session in
the external cache with the cipherlist of an embryonic SSL object.

Sessions in the external cache are essentially keyed by the target IP
and port, and multiple logical destinations (email receiving domains)
may be served by the same TLS-enabled SMTP server.

In Postfix 2.3 the administrator will be able to specify separate
cipherlists for each destination domain, but sessions are not cached by
domain to avoid excessive session counts for hosts serving a large pool
of domains.

So before I attempt to re-use a session, I need to make sure that
its cipher is OK for the current destination (otherwise the handshake
breaks). I can peek under the hood to get the session's cipher number
(session->cipher_id) and compare with the cipher ids of the cipherlist
(also direct structure access), but this is an unpublished interface,
and I don't expect binary compatible behaviour for unpublished interfaces.

Is there a way to filter out incompatible sessions via published APIs?

Are new published APIs to allow cipher id comparisons like to materialize
in the future?

Right now, I may have to build the cipherlist spec into the cache lookup
key, this will work moderately well in the typical case when most domains
have the same cipherlist, and the set of override cipherlists is small.
It is never worse than putting the domain in the lookup key, because
there is at most one cipherlist per domain, but there can be many domains
per cipherlist. :-(

One last thing, I notice that when ask questions of this sort here,
they mostly go unanswered... Is this the wrong list? Does this belong
on openssl-devel or some other list rather than openssl-users?

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Access to cipher_id of sessions from external cache?

Victor Duchovni
On Thu, May 11, 2006 at 07:54:26PM -0400, Victor Duchovni wrote:

> Is there a way to filter out incompatible sessions via published APIs?
>
> Are new published APIs to allow cipher id comparisons like to materialize
> in the future?
>
> Right now, I may have to build the cipherlist spec into the cache lookup
> key, this will work moderately well in the typical case when most domains
> have the same cipherlist, and the set of override cipherlists is small.
> It is never worse than putting the domain in the lookup key, because
> there is at most one cipherlist per domain, but there can be many domains
> per cipherlist. :-(

FWIW, this is what the code will do, the small number of additional
sessions per IP (scaling with configuration complexity rather than
domain count) is manageable. This better supports absurd, but feasible,
configurations where some domains (served by a commmon server) must use
weak ciphers and other domains must use strong ciphers.

So I guess I don't have to have ABI supported access to the cipher ids,
for now...

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Access to cipher_id of sessions from external cache?

Kyle Hamilton
In reply to this post by Victor Duchovni
Steve is usually around, but I'm not sure he has the time to look into
all the complex questions.  Unfortunately, I don't know the guts nor
future development well enough to be able to answer your question.

If you would like to request the ability to get that information in a
stable, supported manner, the best place to ask is openssl-devel
and/or open a feature request.

-Kyle H

On 5/11/06, Victor Duchovni <[hidden email]> wrote:

>
> I am looking for a portable way to compare the cipher of a session in
> the external cache with the cipherlist of an embryonic SSL object.
>
> Sessions in the external cache are essentially keyed by the target IP
> and port, and multiple logical destinations (email receiving domains)
> may be served by the same TLS-enabled SMTP server.
>
> In Postfix 2.3 the administrator will be able to specify separate
> cipherlists for each destination domain, but sessions are not cached by
> domain to avoid excessive session counts for hosts serving a large pool
> of domains.
>
> So before I attempt to re-use a session, I need to make sure that
> its cipher is OK for the current destination (otherwise the handshake
> breaks). I can peek under the hood to get the session's cipher number
> (session->cipher_id) and compare with the cipher ids of the cipherlist
> (also direct structure access), but this is an unpublished interface,
> and I don't expect binary compatible behaviour for unpublished interfaces.
>
> Is there a way to filter out incompatible sessions via published APIs?
>
> Are new published APIs to allow cipher id comparisons like to materialize
> in the future?
>
> Right now, I may have to build the cipherlist spec into the cache lookup
> key, this will work moderately well in the typical case when most domains
> have the same cipherlist, and the set of override cipherlists is small.
> It is never worse than putting the domain in the lookup key, because
> there is at most one cipherlist per domain, but there can be many domains
> per cipherlist. :-(
>
> One last thing, I notice that when ask questions of this sort here,
> they mostly go unanswered... Is this the wrong list? Does this belong
> on openssl-devel or some other list rather than openssl-users?
>
> --
>         Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]