[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
From: Nick Mathewson <nickm@xxxxxxxxxxxx>
Date: Mon, 12 Mar 2012 13:23:14 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 12 Mar 2012 13:23:33 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=icTXul4Rmnmi1Cai2CV6itIr6ZbRljmYsKe9IU4htCM=; b=RY3SjSjpFmNufFq5qKQAAIrSnx4xX4LJTBA9sa25hPcfkh2KavBfR64vylf3v57kAg p9T+JljSisz/3JhGVZLPWpGO88j6hR4T5OYDLyWRVxPF5NprtuiIBOjqoQnlDO8Lr2Ii EkLjQ/at3ad3UEu1EyrNXgZKFyfUYF5Heju2twadA/i1acmZLzz+PoESH68qYhaHJSTD l7FPfMKMIP6u2kL+tSnvjlxaj0D2ZINSgdQZ9wwQPEuSGLU4FgBYTt4Qq3QNpE8arBxI xWJKimRT5Fc22z3o1OyyHpwvFcQBBKjjjrQPf04ZWQxPFLNn0acexE8BDdDNCmL23xHT gMUQ==
In-reply-to: <87sjhh8g1g.fsf@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuzV81tJm1T4R8W0UtbuwF1Fo-00+jyf0C1Ta6UWcK0Ojw@xxxxxxxxxxxxxx> <87sjhh8g1g.fsf@xxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx

On Fri, Mar 9, 2012 at 7:18 PM, George Kadianakis
 [...]
> What is the reason we don't like session resumption? Does it still
> makes sense to keep it disabled even after #4436 is implemented?

The main reason not to support session resumption is that, as noted
later in this thread, it can require the server to keep key material
around after the original connection has closed.

Now, we could set an extra-short timeout interval here, I guess.  With
a short enough interval, that would be functionally equivalent to what
I proposed, and probably easier to do with OpenSSL via
SSL_CTX_set_timeout() and regular calls to SSL_CTX_flush_sessions().

-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
  - From: Nick Mathewson
- Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
  - From: George Kadianakis

Prev by Author: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
Next by Author: Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
Previous by thread: Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
Next by thread: Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
Index(es):
- Author
- Thread