Project

General

Profile

[Invalid] How to disable persistence of SSL Handshake?

Added by Grundor almost 7 years ago

I understand the ssl handshake flow, but I'm facing a logic problem.
When a user selects a certificate I need to validate it against application to know that its reliable and mach with any system user. But if not, I must allow for user ask again to select another one. Maybe the user has multiple certificates installed on their machine and selected a wrong certificate by mistake.

In my actual scenario, to select another certificate, the user must close the browser and open again, but it gives a negative user experience and I want to improve it.

The solution does a handshake for every request, so It allows user to select another one.

But how to do that?


Replies (3)

RE: [Invalid] How to disable persistence of SSL Handshake? - Added by gstrauss almost 7 years ago

What did your favorite search engine say when you tried looking for an answer?

Clearing active login info is client-specific and differs between browsers. Look into options for clearing recent client browser history.

RE: [Invalid] How to disable persistence of SSL Handshake? - Added by Grundor almost 7 years ago

You're kinding me?

You really think I'll come here without try by myself? Or did you think someone will be here, a forum in nowhere on internet, as 1st resource? Don't be rude, if my quest wasn't clear enough please tell me I'll try explain again.

The most relevante question that I found was https://security.stackexchange.com/questions/56623/avoiding-ssl-handshake-for-each-call.

The full handshake is what a client and server do when they don't know each other (they have not talked previously, or that was long ago). In the full handshake, certificates are sent, and asymmetric cryptography (RSA, Diffie-Hellman...) occurs.

The abbreviated handshake is what a client and server remember each other; more accurately, they remember the algorithms and keys that they established in a previous full handshake, and agree to reuse them (technically, they reuse the "master secret" and derive from it fresh encryption keys for this connection).

I can free any cookie, close tab, and disable keep alive, a second handshake doesn't open certificate prompt.
It are using the previous selected, and for chrome for example there is no option "remember my decision", Firefox has. The same happens with Edge, Opera, Edge etc. Is it a standard?

The only reason that I'm asking for help is because what request the ssl handshake is the server, so I guess, that can be controlled by server side, requesting a new SSL Full Handshake.

I made some interventions to try solve it by myself, but was unsuccessful

on client-side:
  • Clear all data, even history.
  • Open in another sub-domain cookieless

on client-side:

  • Send "Connection: close" header
  • Disable keep-alive

Close the browser is the only effective for a new SSL Handshake, but it will promote a bad user experience.

Well, If I'm cleaning all data from browser, closing connections, removing any alive one, and it still using the 1st certificate selected on a second request until I close the browser (kill all process) , there is something wrong, or with browser (all of it) or with the server.

If my application use SSL to authenticate users, I can't use multiple logins without close the browser, it's not right.

RE: [Invalid] How to disable persistence of SSL Handshake? - Added by gstrauss almost 7 years ago

Your english is very difficult to understand when you are angry.

You really think I'll come here without try by myself? Or did you think someone will be here, a forum in nowhere on internet, as 1st resource?

Yes. In your first post, you failed to indicate "what you tried" when asking a question. Therefore, the assumption is that you tried nothing, especially since a simple search in your favorite search engine would undoubtedly provide the answer. I know. I checked a few search engines. If I find the answer in a search engine in 10 seconds or less, then I conclude that you did not try hard enough.

(Your subsequent post does provide information about what you tried, but was difficult to follow.)

Also, as noted, this is a client browser issue, not a server-side issue, as is so clearly obvious from search engine results, which provide the answer.

From 2006: http://forums.mozillazine.org/viewtopic.php?f=38&t=468067
From 2012: https://www.progclub.org/blog/2012/03/16/clearing-ssl-session-state-in-firefox/
other: https://www.a2hosting.com/kb/getting-started-guide/internet-and-networking/clearing-a-web-browsers-ssl-state

    (1-3/3)