[9fans] tls session resumption?

[9fans] tls session resumption?

[Axel Belinfante]

It could be nice to have session resumption for tls,
even if only for the ttls in 802.1x, where it seems
we have to redo the auth handshake every x minutes,
to keep the connection alive.

with that in mind I've been staring a bit at the tlshand.c
and devtls.c code without making much progress.

to resume a session, the client needs to store or have
otherwise access to the state of the session (TlsSec, I guess).

I'm wondering if the state that is kept by tlsdev for a
session after a succesful handshake would be enough
(such that I don't have to remember those secrets myself --
 if I do have to store stuff myself, would factotum be
 the place for that? or?)
and if an existing tls dev could be used to do a new handshake
(that would mean that the 'connection dir' of TLSconn would
 be an IN/OUT parameter, instead of just OUT)
using the hand file (even when encryption was already
enabled for the data file) such that if no session is resumed
new secrets are given and changeciper is done, or, if
a session is resumed, a special 'resume' message is given
to allow subsequent changecipher without giving new secrets.

I'm not sure if I would need explicit access to the secrets
to be able to compute/verify the finished messages...
and whether or not the client/server random in the hello
messages may make explicit access to the secrets necessary...


any insights welcome. hope the above makes at least some sense.

Axel.