ssl handshake with multiple tcp connect?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl handshake with multiple tcp connect?

Arjan Filius

Hello,

today i ran into a situation, where i notice firefox/chrome and
gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl
s_client takes only one.

one tcp session is what i expect, and i hope someone may have an
explanation.

compared the gnutls-cli with openssl s_client as thay would do no http
interpretation, and are easely reproduced by commandline:

gnutls-cli  --insecure -V -r www.xs4all.nl </dev/null
  uses 3 tcp sessions to complete
openssl s_client -connect www.xs4all.nl:443 < /dev/null
  uses 1 tcp session to complete


Any idea how that may come? until now, i was under the impression a ssl
session setup should only use 1 tcp session (apart from ocsp/crl checks)

Thanks in advance

Regards,
--
Arjan Filius
mailto:[hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ssl handshake with multiple tcp connect?

JoelKatz
On 8/25/2011 6:04 AM, Arjan Filius wrote:

>
> Hello,
>
> today i ran into a situation, where i notice firefox/chrome and
> gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl
> s_client takes only one.
>
> one tcp session is what i expect, and i hope someone may have an
> explanation.
>
> compared the gnutls-cli with openssl s_client as thay would do no http
> interpretation, and are easely reproduced by commandline:
>
> gnutls-cli --insecure -V -r www.xs4all.nl </dev/null
> uses 3 tcp sessions to complete
> openssl s_client -connect www.xs4all.nl:443 < /dev/null
> uses 1 tcp session to complete
>
>
> Any idea how that may come? until now, i was under the impression a ssl
> session setup should only use 1 tcp session (apart from ocsp/crl checks)

Why are you passing '-r' to gnutls-cli? You are asking it to try to
resume the session on a new TCP connection. (I count two connections.)

DS



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ssl handshake with multiple tcp connect?

Arjan Filius
Hello David,

thanks for your reply, and that's correct. that was it for gnutls-cli.
after a confusing day, one of the original item triggered my firefox browser, i thought reproduced with gnutls-cli.
In the end it was a simpel favicon issue, which kept connecting (no cache).

regards,

On Thu, 2011-08-25 at 23:00 -0700, David Schwartz wrote:
On 8/25/2011 6:04 AM, Arjan Filius wrote:
>
> Hello,
>
> today i ran into a situation, where i notice firefox/chrome and
> gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl
> s_client takes only one.
>
> one tcp session is what i expect, and i hope someone may have an
> explanation.
>
> compared the gnutls-cli with openssl s_client as thay would do no http
> interpretation, and are easely reproduced by commandline:
>
> gnutls-cli --insecure -V -r www.xs4all.nl </dev/null
> uses 3 tcp sessions to complete
> openssl s_client -connect www.xs4all.nl:443 < /dev/null
> uses 1 tcp session to complete
>
>
> Any idea how that may come? until now, i was under the impression a ssl
> session setup should only use 1 tcp session (apart from ocsp/crl checks)

Why are you passing '-r' to gnutls-cli? You are asking it to try to 
resume the session on a new TCP connection. (I count two connections.)

DS