Looking for advice on session renegotiation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Looking for advice on session renegotiation

Charles Mills
I understand the basics of session renegotiation. (And yes, I am familiar
with
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATIO
N.) Not clear to me: should I be setting
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION?

What I am mostly looking for is some clue as to what would be a good default
for how often to force renegotiation: every megabyte? Every ten megabytes?
Every 100 megabytes?

The data is "one-way" (client to server only) and what I would call "medium
sensitive": typically no national secrets or credit card numbers, but lots
of userids and critical filenames. (Commercial "multi-purpose" application
so a little difficult to predict *exactly* what the data will be.) The data
is also highly repetitive (which I understand makes it easier to crack). It
might also be possible for a rogue to "force" a predictable stream of data
by taking a particular action.
       
The server would typically be on a private network but might in some cases
be Internet-facing. The server would typically be long-running (weeks
without a restart). I am using OpenSSL 1.0.1c 10 May 2012.

Thanks,
Charles


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Looking for advice on session renegotiation

Curt Sampson
On 2012-08-20 08:39 -0400 (Mon), Charles Mills wrote:

> What I am mostly looking for is some clue as to what would be a good default
> for how often to force renegotiation: every megabyte? Every ten megabytes?
> Every 100 megabytes?

While we're at it, I've got a long-running application as well, and
as well as similarly long-running connections, I'm wondering what, if
anything, I need to do about re-seeding OpenSSL's PRNG. How long is
it safe to leave it running in a moderately busy system (several TLS
connections per second), and is that even the metric one should use?

cjs
--
Curt Sampson         <[hidden email]>         +81 90 7737 2974

It is easier to write an incorrect program than understand a correct one.
    --Alan Perlis, Epigrams on Programming (#7)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]