\u8fd9\u7bc7 RFC \u5e9f\u5f03\u4e86 "RFC4507: Transport Layer Security (TLS) Session Resumption without Server-Side State"<\/p>\n
\u4e3b\u8981\u63cf\u8ff0\u4e86\u5728\u4e0d\u9700\u8981\u7ef4\u62a4\u670d\u52a1\u5668\u72b6\u6001\u7684\u60c5\u51b5\u4e0b\u5982\u4f55\u91cd\u542f\u4e00\u4e2a TLS Session<\/p>\n
\u72b6\u6001\u603b\u5f52\u662f\u8981\u6709\u7684, \u6bd4\u5982\u52a0\u5bc6\u5957\u4ef6, \u52a0\u5bc6\u7684\u4e3b\u5bc6\u94a5, \u5b83\u4eec\u90fd\u4fdd\u5b58\u5728\u4e00\u4e2a\u7531\u670d\u52a1\u5668\u77e5\u9053\u7684\u5bc6\u94a5\u52a0\u5bc6\u8fc7\u7684\u4e00\u4e2a ticket \u91cc<\/p>\n
it stores its session state (such as ciphersuite and master secret) to a ticket that is encrypted and integrity-protected by a key known only to the server.<\/p>\n
The ticket is distributed to the client using the NewSessionTicket<\/p>\n
This message is sent during the TLS handshake before the ChangeCipherSpec message, after the server has successfully verified the client's Finished message<\/p>\n
\n Client Server\n\n ClientHello\n (empty SessionTicket extension)-------->\n ServerHello\n (empty SessionTicket extension)\n Certificate*\n ServerKeyExchange*\n CertificateRequest*\n <-------- ServerHelloDone\n Certificate*\n ClientKeyExchange\n CertificateVerify*\n [ChangeCipherSpec]\n Finished -------->\n NewSessionTicket\n [ChangeCipherSpec]\n <-------- Finished\n Application Data <-------> Application Data<\/code><\/pre>\n\n- Figure 2: Message Flow for Abbreviated Handshake Using New Session<\/li>\n<\/ul>\n
Client Server\n ClientHello\n (SessionTicket extension) -------->\n ServerHello\n (empty SessionTicket extension)\n NewSessionTicket\n [ChangeCipherSpec]\n <-------- Finished\n [ChangeCipherSpec]\n Finished -------->\n Application Data <-------> Application Data\n<\/code><\/pre>\n\n- Figure 3: Message Flow for Server Completing Full Handshake Without Issuing New Session Ticket<\/li>\n<\/ul>\n
Client Server\n\n ClientHello\n (SessionTicket extension) -------->\n ServerHello\n Certificate*\n ServerKeyExchange*\n CertificateRequest*\n <-------- ServerHelloDone\n Certificate*\n ClientKeyExchange\n CertificateVerify*\n [ChangeCipherSpec]\n Finished -------->\n [ChangeCipherSpec]\n <-------- Finished\n Application Data <-------> Application Data<\/code><\/pre>\nSession Ticket \u6269\u5c55<\/h1>\n
The server uses a zero-length SessionTicket extension to indicate to
\nthe client that it will send a new session ticket using the
\nNewSessionTicket handshake message described in Section 3.3. The
\nserver MUST send this extension in the ServerHello if it wishes to
\nissue a new ticket to the client using the NewSessionTicket handshake
\nmessage. The server MUST NOT send this extension if it does not
\nreceive one in the ClientHello.<\/p>\n
This message is sent by the server during the TLS handshake before
\nthe ChangeCipherSpec message. <\/p>\n
This message MUST be sent if the server included a SessionTicket extension in the ServerHello. <\/p>\n
This message MUST NOT be sent if the server did not include a
\nSessionTicket extension in the ServerHello.
\nThis message is included in the hash used to create and verify the Finished message. <\/p>\n
In the case of a full handshake, the server MUST verify the client's
\nFinished message before sending the ticket. <\/p>\n
The client MUST NOT treat the ticket as valid until it has verified the server's Finished message. <\/em><\/p>\nIf the server determines that it does not want to include a ticket after it has included the SessionTicket extension in the ServerHello, then it sends a zero-length ticket in the NewSessionTicket handshake message.<\/p>\n
struct {\n HandshakeType msg_type;\n uint24 length;\n select (HandshakeType) {\n case hello_request: HelloRequest;\n case client_hello: ClientHello;\n case server_hello: ServerHello;\n case certificate: Certificate;\n case server_key_exchange: ServerKeyExchange;\n case certificate_request: CertificateRequest;\n case server_hello_done: ServerHelloDone;\n case certificate_verify: CertificateVerify;\n case client_key_exchange: ClientKeyExchange;\n case finished: Finished;\n case session_ticket: NewSessionTicket; \/* NEW *\/\n } body;\n } Handshake;\n\n struct {\n uint32 ticket_lifetime_hint;\n opaque ticket<0..2^16-1>;\n } NewSessionTicket;<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u6982\u8ff0 \u8fd9\u7bc7 RFC \u5e9f\u5f03\u4e86 "RFC4507: Transport Layer Security (TLS) Session Resumption without Server-Side State" \u4e3b\u8981\u63cf\u8ff0\u4e86\u5728\u4e0d\u9700\u8981\u7ef4\u62a4\u670d\u52a1\u5668\u72b6\u6001\u7684\u60c5\u51b5\u4e0b\u5982\u4f55\u91cd\u542f\u4e00\u4e2a TLS Session \u72b6\u6001\u603b\u5f52\u662f\u8981\u6709\u7684, \u6bd4\u5982\u52a0\u5bc6\u5957\u4ef6, \u52a0\u5bc6\u7684\u4e3b\u5bc6\u94a5, \u5b83\u4eec\u90fd\u4fdd\u5b58\u5728\u4e00\u4e2a\u7531\u670d\u52a1\u5668\u77e5\u9053\u7684\u5bc6\u94a5\u52a0\u5bc6\u8fc7\u7684\u4e00\u4e2a ticket \u91cc it stores its session state (such as ciphersuite and master secret) to a ticket that is encrypted and integrity-protected by a key known only to the server. The ticket is distributed to […] →Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-965","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/965"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=965"}],"version-history":[{"count":6,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/965\/revisions"}],"predecessor-version":[{"id":971,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/965\/revisions\/971"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}