session-ID cashe

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

session-ID cashe

imana sakki
hello
where is the session-ID & master-key in the camputer? where is this cashe?
can I see it? how secure is it?                     thank you


Yahoo! FareChase - Search multiple travel sites in one click.
Reply | Threaded
Open this post in threaded view
|

Re: session-ID cashe

Victor Duchovni
On Sun, Oct 30, 2005 at 10:57:00PM -0800, imana sakki wrote:

> hello
> where is the session-ID & master-key in the camputer? where is this cashe?
> can I see it? how secure is it?                     thank you
>

Relevant man pages:

    SSL_CTX_sess_set_cache_size
    SSL_CTX_sess_set_get_cb
    SSL_CTX_sess_set_new_cb
    SSL_CTX_set_session_cache_mode
    SSL_CTX_set_session_id_context
    SSL_CTX_set_timeout
    d2i_SSL_SESSION
    i2d_SSL_SESSION

The cache is in process memory by default, but callbacks allow you
to persist the cache in external storage.

A decent example of how an external cache is implemented can be
found in the Postfix 2.2.5 source code (the src/tls/tsl_client.c,
src/tls/tls_server.c and src/tls/tls_session.c files).

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: session-ID cashe

imana sakki
hello
I want to know that can I see the content of session-ID cash?(internal cash)
is it possible for an attacker that sniff the master-key from this cash?
how secure is this cash?
                            thank you very much

Victor Duchovni <[hidden email]> wrote:
On Sun, Oct 30, 2005 at 10:57:00PM -0800, imana sakki wrote:

> hello
> where is the session-ID & master-key in the camputer? where is this cashe?
> can I see it? how secure is it? thank you
>

Relevant man pages:

SSL_CTX_sess_set_cache_size
SSL_CTX_sess_set_get_cb
SSL_CTX_sess_set_new_cb
SSL_CTX_set_session_cache_mode
SSL_CTX_set_session_id_context
SSL_CTX_set_timeout
d2i_SSL_SESSION
i2d_SSL_SESSION

The cache is in process memory by default, but callbacks allow you
to persist the cache in external storage.

A decent example of how an external cache is implemented can be
found in the Postfix 2.2.5 source code (the src/tls/tsl_client.c,
src/tls/tls_server.c and src/tls/tls_session.c files).

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! FareChase - Search multiple travel sites in one click.
Reply | Threaded
Open this post in threaded view
|

Re: session-ID cashe

Victor Duchovni
On Wed, Nov 02, 2005 at 09:17:52PM -0800, imana sakki wrote:

> I want to know that can I see the content of session-ID cash?(internal cash)
> is it possible for an attacker that sniff the master-key from this cash?
> how secure is this cash?

There is no global "master key", only a per-session master key that
enables session restart without expensive public key operations. The
internal cache is stored in process memory, if that is not safe enough,
the game is over. If you store the sessions out of process, it is up
to you to set up appropriately protected storage. For Postfix the
cache file is only readable by the "postfix" user id, the cached
sessions are typically expired by both sides in 300s (HTTP) to 3600s
(SMTP).

    $ ls -l /etc/postfix/smtp_scache.db
    -rw-------    1 root bin  8192 Nov  3 00:40 /etc/postfix/smtp_scache.db

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: session-ID cashe

imana sakki
hello, I thank you for your answers, I read in rfc2246 that the lifetime for session-ID is 24 houres;  is there difference between this time and the time that you say(300 sec)?

Victor Duchovni <[hidden email]> wrote:
On Wed, Nov 02, 2005 at 09:17:52PM -0800, imana sakki wrote:

> I want to know that can I see the content of session-ID cash?(internal cash)
> is it possible for an attacker that sniff the master-key from this cash?
> how secure is this cash?

There is no global "master key", only a per-session master key that
enables session restart without expensive public key operations. The
internal cache is stored in process memory, if that is not safe enough,
the game is over. If you store the sessions out of process, it is up
to you to set up appropriately protected storage. For Postfix the
cache file is only readable by the "postfix" user id, the cached
sessions are typically expired by both sides in 300s (HTTP) to 3600s
(SMTP).

$ ls -l /etc/postfix/smtp_scache.db
-rw------- 1 root bin 8192 Nov 3 00:40 /etc/postfix/smtp_scache.db

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! FareChase - Search multiple travel sites in one click.
Reply | Threaded
Open this post in threaded view
|

Re: session-ID cashe

Victor Duchovni
On Tue, Nov 08, 2005 at 07:10:31AM -0800, imana sakki wrote:

> hello, I thank you for your answers, I read in rfc2246 that the lifetime
> for session-ID is 24 houres;  is there difference between this time and
> the time that you say(300 sec)?

The lifetime is whatever your application chooses to set it to. For Web
servers it is typically 5 minutes. For SMTP servers, 1 hour seems to be
popular. Please read the manual pages and/or Eric Rescorla's book:

    "SSL and TLS: Designing and Building Secure Systems"

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]