OpenSSL 1.1.0 support
Alan DeKok
aland at deployingradius.com
Mon Apr 4 01:44:20 CEST 2016
On Apr 3, 2016, at 3:10 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> This may allow us to serialize &session-state:[*] in the session ticket, and have the supplicant hand back any authorizational info required when they resume their session :)
>
> I'm sure there's a reason why this is a terrible idea from a security (or other) perspective, but i've not figured it out yet. If anyone else has any views on it, i'd appreciate the feedback.
The ticket is opaque to everyone but the server. So it's safe from that point of view.
The real problem is size. Large session tickets mean that session resumption now takes many round trips.
> Not sure of what the limit on serialised data would be, extension length is 2^24, guessing the record layer can fragment extensions, else that size wouldn't make sense. The real limit would probably be the number of roundtrips :)
Yes. I would suggest limiting data in the session ticket to less than 1K. Anything more will cause too many round trips.
Alan DeKok.
More information about the Freeradius-Users
mailing list