Reputation: 54074
TLS session reuse over new TCP connection
This is after my question about http and tls.
It seems that there is no mandate per RFC to invalidate an established TLS session if the underlying TCP connection is closed (and then reopened).
Is it safe to reuse the established TLS session over the new TCP connection?
Are there any known attacks (even at theoritical level) that could exploit this?
Thank you
Upvotes: 0
Views: 2718
Answers (1)
Reputation: 41967
Indeed there is such a mandate in RFC 2246 -- TLS 1.0 if the TCP connection is closed without sending a close_notify alert: see section 7.2.1 of the RFC 2246. This mandate was widely ignored in implementations that otherwise followed RFC 2246. Acknowledging this, TLS 1.1 and TLS 1.2 have eliminated the requirement.
TLS/SSL security does not rely on any properties of TCP, so things that happen at that level should not matter. In particular it should not matter whether you try to resume a TLS session on the same TCP connection or on a new TCP connection.
Upvotes: 6
Related Questions
- TLS session resumption in python TLS socket
- Java TLS Session Reuse after closed connection
- Session Disconnection
- how renegociate SSL-connection every time = different ssl-SessionID ( windows ,c#)
- Multiple SSL/TLS handshakes despite Keep-Alive and Session Identifier/Ticket enabled
- How to keep the session open in tcl http
- SSL session resumption after close socket FD
- TLS / SSL server hello in reuse mode
- reuse SSL session on C client/server application
- Using different TLS record versions in the same TCP connection