SSL Session IDs in Konqueror

Ross Vandegrift wrote:
>Hello,
>
>I've been troubleshotting an issue with Konqueror clients. I've traced
>it back to the manner in which these browers perform SSL. If this isn't
>the right list, please direct me to the right people - I'm not so
familiar with the KDE development structure.
>
>
>When a client opens an SSLv3 session, it generates an SSL Session ID
>as part of the Handshake protocol. This allows the session to be
>resumed for subsequent transactions. Mozilla and IE both generate a
>single SSL Session ID for a single webpage. This session is resumed
>for subsequent requests and elements of the page.
>
>Konqueror doesn't do this. It seems to generate a new SSL Session ID
>for each HTTP transaction. This is an issue for server-side things
>that depend upon the Session ID existing in the session cache (in my
>particular case, I'm troubleshooting a web application that uses SSL
>Session ID to direct users).
>
>
>Is this behavior intentional? Are there options that control it? I'm
>not really an expert on SSLv3, and am new to Konqueror, so if there's
>an FM I need to read, let me know!

As far as I understand, resuming sessions is entirely optional in HTTP and
is used to avoid the costly handshake associated with establishing a new
session.

The http ioslave in KDE will open many connections to the server and each
one should be kept alive for a time. But, when reloading or accessing
elements after a timeout, it'll need to reconnect. SSL Session support
was never written.

Not only that, it's also now out of our hands since we started using
QSslSocket. There's no API for doing resuming SSL sessions.

--
* Thiago Macieira *- *thiago (AT) macieira.info - thiago (AT) kde.org
* * PGP/GPG: 0x6EF45358; fingerprint:
* * E067 918B B660 DBD1 105C *966C 33F5 F005 6EF4 5358

PGP SIGNATURE
Version: GnuPG v1.4.9 (GNU/Linux)


ne/JGKIP43zld9SA=
=T9Md
PGP SIGNATURE