Thursday, June 6, 2019

SSL renegotiation and resumption

"Resumption and renegotiation are rather opposites. Resumption restarts a previous TLS session in a new TCP connection, using the same TLS parameters. Renegotiation continues an existing TLS session in the same TCP connection, but changes some of the parameters.

in Fiddler, check for the renegotiation_info field in the CONNECT requestsmethods

Secure Renegotiation Supported
Secure Client-Initiated Renegotiation Yes
Insecure Client-Initiated Renegotiation No

Session resumption (caching) Yes
Session resumption (tickets) No

check DisableRenegoOnClient link and

"Modify the key to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=0" -Djdk.tls.rejectClientInitiatedRenegotiation=true ( see on why this is a bad idea)

Doc on Session Resumption


Here more explanation on Resumption and Renegotiation

To understand JSSE in general read this guide

No comments: