[RADIATOR] Suggestion: Support of TLS Session Resumption based on tickets and not just session IDs
Heikki Vatiainen
hvn at open.com.au
Fri Oct 30 10:04:18 CDT 2015
On 27.10.2015 12.50, A.L.M.Buxey at lboro.ac.uk wrote:
>> RFC 5077 (Session Tickets based TLS Session resumption, aka TLS Session Resumption without Server-Side State) is implemented as of Windows 8.1 and Windows Server 2012R2. So along with Windows 10, that's 16% of the desktop market share according to:
>> https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
>
> well, depends if they use this for 802.1X...
Yes, it's a good question if session tickets are used by EAP clients.
Apparently RFC 7170 TEAP does support it, but I have not seen any
clients that support TEAP.
In other words, if the specification for an EAP method does not have
anything about session tickets, should a compliant client even try using
them.
> and if stuff is being done to support this then PLEASE let it be fully tested
> and verified by the requester/suggester and other people before being let loose.
> the TLS 1.2 issues we've recently had with issues was the result of the feature
> being requested but not then being tested thoroughly :/
Indeed :) If there's the possibility of do resumption with session
tickets, session ids and decline it completely and fall back to full
handshake, there probably can be interesting combinations of how things
can go wrong.
Also, I'm not sure if tickets save much with EAP. If the authentication
attempts that try to resume a session can be directed to the server
instance that did the full authentication, then resume is possible. The
number of requests that need to be exchanged is similar for both
resumption methods. If there's a large farm of servers that can come and
go, then there might be a case, but there's still the question of there
are any EAP clients that support tickets.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list