About Rfc 5246
ImageUpon receiving the CLIENT HELLO, if the server is configured for Client Certificate Authentication, it will send a list of Distinguished CA names & Client Certificate Request to the client as a part of the SERVER HELLO apart from other details depicted above.Upon receiving the Server Hello containing the Client Certificate request & list of Distinguished CA names, the client will perform the following steps:The client uses the CA list available in the SERVER HELLO to determine the mutually trusted CA certificates.Theclient will then determine the Client Certificates that have been issued by the mutually trusted Certification Authorities.The client will then present the client certificate list to the user so that they can select a certificate to be sent to the Server.NOTE:On the Client the Client Certificates must have a Private Key. If absent, then the certificate is ignored.If the server doesn’t provide the list of Distinguished CA Names in the SERVER HELLO, then the client will present the user with all the client certificates that it has access to.Upon selection, the client responds with aClientKeyExchange message which contains the Pre-master secretCertificate message which contains the Client certificate(Doesn’t contain the private key).CertificateVerifymessage, which is used to provide explicit verification of a client certificate. This message is sent only if the Client Certificate message was sent. The client is authenticated by using its private key to sign a hash of all the messages up to this point. The recipient verifies the signature using the public key of the signer, thus ensuring it was signed with the client’s private key. Refer RFC 5246 for more details.Post this Client & Server use the random numbers and the Pre-Master secret to generate symmetric (or Master) keys which will used for encrypting & decrypting messages for further communication.Both respond with ChangeCipherSpec indicating that they have finished the process.SSL Handshake stands completed now and both the parties own a copy of the master key which can be used for encryption and decryption.We know that the server sends the list of Distinguished CA names as a part of SERVER HELLO. The RFC never mandates the list of Distinguished CA Names should contain Root CA or Intermediate CA certificates. Here is a snippet of this section defined in the RFC5246:certificate_authoritiesA list of the distinguished names [X501] of acceptablecertificate_authorities, represented in DER-encoded format. Thesedistinguished names may specify a desired distinguished name for aroot CA or for a subordinate CA;
Key features of the Rfc 5246 that are enabled through these drivers include:
- Blog St phane Bortzmeyer: RFC 5246: The Transport Layer Security
- [TLS] RFC 5246 on The Transport Layer Security (TLS) Protocol Version
- RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2
- RFC, RFC Viewer, RFC Printing, RFC Browsing - EffeTech
- RFC, RFC Viewer, RFC Printing, RFC Browsing - ftp.effetech.com
- Wordscapes Level 5246, Solice 14
- JKB (OS Build .5246) - Microsoft
2015-02-244 min readAt CloudFlare, making web sites faster and safer at scale is always a driving force for innovation. We introduced “Universal SSL” to dramatically increase the size of the encrypted web. In order for that to happen we knew we needed to efficiently handle large volumes of HTTPS traffic, and give end users the fastest possible performance. CC BY 2.0 image by ecos systemsIn this article, I’ll explain how we added speed to Universal SSL with session resumptions across multiple hosts, and explain the design decisions we made in this process. Currently, we use two standardized session resumption mechanisms that require two different data sharing designs: Session IDs RFC 5246, and Session Tickets RFC 5077. Session ID Resumption Resuming an encrypted session through a session ID means that the server keeps track of recent negotiated sessions using unique session IDs. This is done so that when a client reconnects to a server with a session ID, the server can quickly look up the session keys and resume the encrypted communication. At each of CloudFlare’s PoPs (Point of Presence) there are multiple hosts handling HTTPS traffic. When the client attempts to resume a TLS connection with a web site, there is no guarantee that they will connect to the same physical machine that they connected to previously. Without session sharing, the success rate of session ID resumption could be as low as 1/n (when there are n hosts). That means the more hosts we have, the less likely a session can be resumed. This goes directly against our goal of scaling SSL performance!CloudFlare’s solution to this problem is to share the sessions within the PoP, making the successful resumption rate approach 100%. We employ a memcached cluster to cache all the recent negotiated sessions from all the hosts within the same PoP. To enhance the secrecy and security of session keys, all cached sessions are encrypted. When a new session with a session ID is negotiated, a host will encrypt the new session and insert it to memcached, indexed by the session ID. When a host needs to look up a session for session resumption, it will query memcached using the session ID as the key and decrypt the cached session to resume it. All those operations happen as non-blocking asynchronous calls thanks to the power of OpenResty, and many handy OpenResty modules such as the fully asynchronous memcached client.
