I've just started learning SSL and boy is it confusing
我刚开始学习SSL而且男孩很困惑
Q1 - How long does SSL connection between a client and server persist? Until client surfs to some other URL or…?
Q1 - 客户端和服务器之间的SSL连接持续多长时间?直到客户浏览其他URL或......?
Q2
A) Assume a client (browser) establishes a SSL connection with a IIS server.
A)假设客户端(浏览器)与IIS服务器建立SSL连接。
Now how does IIS figure out on each postback that it is dealing with same authenticated client/browser and thus that it already has a SSL connection established with that client?
现在IIS如何在每个回发中找出它正在处理相同的经过身份验证的客户端/浏览器,从而它已经与该客户端建立了SSL连接?
B) Assuming SSL connection isn’t lost if browser surfs to some other URL:
B)假设浏览器浏览到某个其他URL时,SSL连接不会丢失:
Suppose that moments after SSL connection is established, client surfs to some other URL, and shortly there after it again requests ( via https ) the original page ( one with which it has SSL connection established).
假设在建立SSL连接之后的某个时刻,客户端会浏览到其他某个URL,然后很快再次请求(通过https)原始页面(建立了SSL连接的页面)。
How will IIS server be able to figure out that current request for a page comes from a client that already has SSL connection established with that page and thus will use already established SSL connection?
IIS服务器如何能够确定页面的当前请求来自已与该页面建立SSL连接的客户端,因此将使用已建立的SSL连接?
thanx
EDIT:
- Assuming browser surfs to some other URL and if on returning back to original page the SSL connection is still established, how will browser "remember" the value of symetric encryption key, which the two sides used for communicating?
假设浏览器浏览到其他某些URL并且如果返回到原始页面仍然建立SSL连接,浏览器将如何“记住”双方用于通信的对称加密密钥的值?
- I realize it depends on what browser you use, but with IE and Firefox, I assume when you close a browser, it sends Connection.Close() ( or something to that effect ) to the server and thus SSL connection is immediately closed?
我意识到这取决于你使用的浏览器,但是对于IE和Firefox,我假设当你关闭浏览器时,它会将Connection.Close()(或其他东西)发送到服务器,因此SSL连接会立即关闭?
- But if you browse away to some other URL, then if browsers doesn't send any notification to the server, wouldn't then SSL connection remain established for quite some time ( even 10 or more minutes ) and thus browser could easily surf back to that page as if nothing happened?!
但是如果你浏览一些其他的URL,那么如果浏览器没有向服务器发送任何通知,那么SSL连接不会在相当长的时间内保持建立(甚至10分钟或更长时间),因此浏览器可以轻松地回溯到那个页面好像什么也没发生?!
I appreciate it
我很感激
3 个解决方案
#1
post-edit answers:
What I think you may be missing is that SSL is linked intrinsically to TCP. You cannot have an SSL "connection" to the server that doesn't ride on top of a TCP connection. You break one, you break the other.
我认为您可能缺少的是SSL本质上与TCP相关联。您不能与不搭乘TCP连接的服务器建立SSL“连接”。你打破一个,你打破另一个。
Most SSL implementations include "shortcut" negotiation where subsequent new connections can leverage the public key encryption that has already taken place and instead directly use the most recently negotiated symmetric key. The details of this, however, are hidden within the SSL implementation. From the point of view of the user and/or client software, the fiction is maintained that the entire negotiation took place just like it did on the first connection.
大多数SSL实现包括“快捷方式”协商,其中后续新连接可以利用已经发生的公钥加密,而是直接使用最近协商的对称密钥。但是,其详细信息隐藏在SSL实现中。从用户和/或客户端软件的角度来看,维持小说整个协商就像在第一次连接时那样进行。
-
If the SSL connection is still established, then it follows that the symmetric key information is still maintained on both ends.
如果仍然建立SSL连接,则遵循对称密钥信息仍在两端保持。
Yes.
-
Yes, although it would be improbable for the client to keep a connection to a server once it has navigated away to some other site.
是的,虽然客户端一旦导航到其他站点就不可能保持与服务器的连接。
#2
Q1. The SSL connection is only good for a single TCP connection between the client and the server. Current browsers (anything with HTTP/1.1 support) can reuse a single connection for downloading multiple resources. Current browsers also make multiple TCP connections to a server in order to download multiple resources in parallel. Because of this, you'll see multiple SSL connections for one page view.
Q1。 SSL连接仅适用于客户端和服务器之间的单个TCP连接。当前的浏览器(任何支持HTTP / 1.1的浏览器)都可以重用单个连接来下载多个资源。当前浏览器还与服务器建立多个TCP连接,以便并行下载多个资源。因此,您将看到一个页面视图的多个SSL连接。
Q2A. If the browser still has a TCP connection open with that server, it can reuse that connection. Otherwise, a new TCP connection with SSL and IIS authentication is negotiated.
Q2A。如果浏览器仍然与该服务器打开TCP连接,则可以重用该连接。否则,将协商具有SSL和IIS身份验证的新TCP连接。
Q2B. Same as Q2A. You can't depend on this, but the TCP connections won't be disposed of immediately. There's a chance you could reuse an existing one depending on your browser.
Q2B。与Q2A相同。您不能依赖于此,但TCP连接不会立即处理。根据您的浏览器,您有可能重复使用现有的一个。
#3
A1. An SSL connection persists until either the client or server closes it. When that happens depends on the protocol being used. For HTTP, most modern clients will make a few parallel connections to the server to fetch the page and its resources, and reuse those connections until the page is loaded.
A1。 SSL连接将持续存在,直到客户端或服务器关闭它。发生这种情况取决于所使用的协议。对于HTTP,大多数现代客户端将与服务器建立一些并行连接以获取页面及其资源,并在页面加载之前重用这些连接。
A2A. The client must authenticate itself on each request if the authentication uses HTTP auth. If the client is using SSL certificate authorization, then this is obviously maintained on a per-connection basis so that subsequent requests on the same connection retain the same credentials.
A2A。如果身份验证使用HTTP身份验证,则客户端必须在每个请求上进行身份验证。如果客户端使用SSL证书授权,则显然在每个连接的基础上维护,以便同一连接上的后续请求保留相同的凭据。
A2B. The server would know this because presumably the request would come in on that already established SSL connection.
A2B。服务器会知道这一点,因为可能是请求将进入已建立的SSL连接。
#1
post-edit answers:
What I think you may be missing is that SSL is linked intrinsically to TCP. You cannot have an SSL "connection" to the server that doesn't ride on top of a TCP connection. You break one, you break the other.
我认为您可能缺少的是SSL本质上与TCP相关联。您不能与不搭乘TCP连接的服务器建立SSL“连接”。你打破一个,你打破另一个。
Most SSL implementations include "shortcut" negotiation where subsequent new connections can leverage the public key encryption that has already taken place and instead directly use the most recently negotiated symmetric key. The details of this, however, are hidden within the SSL implementation. From the point of view of the user and/or client software, the fiction is maintained that the entire negotiation took place just like it did on the first connection.
大多数SSL实现包括“快捷方式”协商,其中后续新连接可以利用已经发生的公钥加密,而是直接使用最近协商的对称密钥。但是,其详细信息隐藏在SSL实现中。从用户和/或客户端软件的角度来看,维持小说整个协商就像在第一次连接时那样进行。
-
If the SSL connection is still established, then it follows that the symmetric key information is still maintained on both ends.
如果仍然建立SSL连接,则遵循对称密钥信息仍在两端保持。
Yes.
-
Yes, although it would be improbable for the client to keep a connection to a server once it has navigated away to some other site.
是的,虽然客户端一旦导航到其他站点就不可能保持与服务器的连接。
#2
Q1. The SSL connection is only good for a single TCP connection between the client and the server. Current browsers (anything with HTTP/1.1 support) can reuse a single connection for downloading multiple resources. Current browsers also make multiple TCP connections to a server in order to download multiple resources in parallel. Because of this, you'll see multiple SSL connections for one page view.
Q1。 SSL连接仅适用于客户端和服务器之间的单个TCP连接。当前的浏览器(任何支持HTTP / 1.1的浏览器)都可以重用单个连接来下载多个资源。当前浏览器还与服务器建立多个TCP连接,以便并行下载多个资源。因此,您将看到一个页面视图的多个SSL连接。
Q2A. If the browser still has a TCP connection open with that server, it can reuse that connection. Otherwise, a new TCP connection with SSL and IIS authentication is negotiated.
Q2A。如果浏览器仍然与该服务器打开TCP连接,则可以重用该连接。否则,将协商具有SSL和IIS身份验证的新TCP连接。
Q2B. Same as Q2A. You can't depend on this, but the TCP connections won't be disposed of immediately. There's a chance you could reuse an existing one depending on your browser.
Q2B。与Q2A相同。您不能依赖于此,但TCP连接不会立即处理。根据您的浏览器,您有可能重复使用现有的一个。
#3
A1. An SSL connection persists until either the client or server closes it. When that happens depends on the protocol being used. For HTTP, most modern clients will make a few parallel connections to the server to fetch the page and its resources, and reuse those connections until the page is loaded.
A1。 SSL连接将持续存在,直到客户端或服务器关闭它。发生这种情况取决于所使用的协议。对于HTTP,大多数现代客户端将与服务器建立一些并行连接以获取页面及其资源,并在页面加载之前重用这些连接。
A2A. The client must authenticate itself on each request if the authentication uses HTTP auth. If the client is using SSL certificate authorization, then this is obviously maintained on a per-connection basis so that subsequent requests on the same connection retain the same credentials.
A2A。如果身份验证使用HTTP身份验证,则客户端必须在每个请求上进行身份验证。如果客户端使用SSL证书授权,则显然在每个连接的基础上维护,以便同一连接上的后续请求保留相同的凭据。
A2B. The server would know this because presumably the request would come in on that already established SSL connection.
A2B。服务器会知道这一点,因为可能是请求将进入已建立的SSL连接。