[stunnel-users] permanent tunnel

Ramin Ali Dousti ramin at cannon.eng.us.uu.net
Sun Oct 31 02:49:42 CEST 2004

Michal Trojnara wrote:

>On Saturday 30 of October 2004 01:16, Ramin Ali Dousti wrote:
>>You're right in that I don't have persistent TCP connection.  I just
>>want to make sure that the SSL handshake
>>does not take place with every short-lived connection.
>You don't want to negotiate new keys for every connection, right?
>In SSL there's a mechanism for it called "session cache".  In stunnel you can 
>increase the timeout for session cache with "session" option (on both client 
>and sever).  Just set it to a very high value (a month? a year?). The default 
>is 300 seconds (5 minutes).
>Best regards,
>    Mike

OK. Can you please explain how that works, I mean, The encapsulated TCP 
connection ends and let's say
some 2 minutes later the client initiates another TCP connection with 
another client port number which goes
through the stunnel again. At this point the server expects to do the 
SSL handshake again. From what you say,
I gather that there is this "session cache" option which instructs the 
server to use its cache for the session key
and not go through the whole SSL handshake. First of all, how is this 
cache maintained because it sounds like
defeating the purpose of using SSL (and its handshake) once you rely on 
some kind of cache? Secondly, does
the client not have to know about this mechanism? What is the dialog 
between the client and the server in
maintaining the session key across multiple sessions?

Thanks for the help.


More information about the stunnel-users mailing list