ssl save/restore/migrate functionality

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl save/restore/migrate functionality

Jayant Jain
Is there a way to save the SSL Context / Session and then restore the session on a new instance  to support session migration.



Thanks


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl save/restore/migrate functionality

Viktor Dukhovni


> On Aug 5, 2018, at 4:27 PM, Jayant Jain <[hidden email]> wrote:
>
> Is there a way to save the SSL Context / Session and then restore the session on a new instance  to support session migration.

TLS session resumption is supported.  Migration of the SSL state of a live
connection is not.  That is, while the operating system may let you pass
the connection file descriptor between processes, OpenSSL does not presently
support serializing and de-serializing the connection state to allow the
to the other process continue the existing SSL session.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl save/restore/migrate functionality

Jayant Jain

Do you see it  being of enough value to consider bringing the feature into your roadmap.


Thanks


From: openssl-users <[hidden email]> on behalf of Viktor Dukhovni <[hidden email]>
Sent: Sunday, August 5, 2018 1:55:34 PM
To: [hidden email]
Subject: Re: [openssl-users] ssl save/restore/migrate functionality
 


> On Aug 5, 2018, at 4:27 PM, Jayant Jain <[hidden email]> wrote:
>
> Is there a way to save the SSL Context / Session and then restore the session on a new instance  to support session migration.

TLS session resumption is supported.  Migration of the SSL state of a live
connection is not.  That is, while the operating system may let you pass
the connection file descriptor between processes, OpenSSL does not presently
support serializing and de-serializing the connection state to allow the
to the other process continue the existing SSL session.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users&amp;data=02%7C01%7Cjjain%40vmware.com%7C5076c6bbe8c84eaa9cf608d5fb15da69%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C1%7C0%7C636690993642698931&amp;sdata=VydLsoqa78HwK%2FvOl8ahwgYyjJ3qCxiZd98PnxKBHZY%3D&amp;reserved=0

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl save/restore/migrate functionality

Viktor Dukhovni


> On Aug 5, 2018, at 8:07 PM, Jayant Jain <[hidden email]> wrote:
>
> Do you see it  being of enough value to consider bringing the feature into your roadmap.

Can you be specific about which "it" you're looking for?

There are no present plans to make it possible to move live connections
across process boundaries.  There are considerable obstacles to making that
possible.  If that's what you're looking for, it is not likely to happen soon.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl save/restore/migrate functionality

OpenSSL - User mailing list

    > Do you see it  being of enough value to consider bringing the feature into your roadmap.

No.  At least not in my opinion.

Migrating "live" TLS connections does not seem a common situation, and is bound to be non-portable.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users