Session cache – Zilog EZ80F91AZA User Manual

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

52

The digital signature standard (DSS) specification does not permit the use of MD5 with
DSA. Therefore, this implementation will not recognize MD5 with DSA as a valid signa-
ture.

Session Cache

Executing public key algorithms is a computationally-intensive process, and accounts for
nearly all of the time required to establish an SSL session. As the length of the keys
involved increases, execution time increases exponentially. To prevent the execution of
these asymmetric algorithms each time a session is initiated, the same client and same
server must establish a new session in all versions so that the SSL handshake protocol uses
a session cache.

This session cache effectively stores the shared secret which a given client and server
derive using a public key algorithm from a previous session. If both parties store this
shared secret in the session cache, then the next time they attempt to establish a session,
there will be no need to execute another public key algorithm to arrive at a common shared
secret.

In the ZTP Network Security SSL Plug-In implementation, the session cache is controlled
by the value of two configuration variables,

SSL_MAX_SESSION_CACHE_ENTRIES

and

SSL_CACHE_TIMEOUT

. These variables are defined in the

ssl_conf.c

configuration

file. The default configuration is shown in the following code fragment:

SSL_BYTE

SL_MAX_SESSION_CACHE_ENTRIES = 8;

SSL_DWORD SSL_CACHE_TIMEOUT = 30000; /* measured in 10ms ticks */

SSL_MAX_SESSION_CACHE_ENTRIES

determines the maximum number of entries in the

cache. One entry is used for each SSL session established using a different remote IP
address. This addressing requirement allows multiple remote sockets (i.e., individual con-
nections) to share the same SSL session. For example, if an SSL session is established
with remote socket 1.2.3.4:5000, then it creates a new entry in the session cache which
will be reused if a connection is attempted with remote socket 1.2.3.4:6000. If the

SSL_MAX_SESSION_CACHE_ENTRIES

variable is set to 0, then the SSL session cache is

disabled; i.e., all attempts at establishing an SSL session will be required to perform asym-
metric public key operations to arrive at a new shared secret every time the same client
and server reconnect.

The

SSL_CACHE_TIMEOUT

variable determines the maximum lifetime (measured in 1/100th

of a second) of an idle entry in the session cache. In general, leaving entries in the session
cache indefinitely is a security risk because the longer the shared secret remains in existence,
the greater the likelihood that an attacker will be able to find it. Conversely, if session entries

Note: