[mosquitto-dev] Mosquitto and TLS Session Resumption / session ticket li

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[mosquitto-dev] Mosquitto and TLS Session Resumption / session ticket lifetime ?

From: Martin Oberhuber <mober.at+eclipse@xxxxxxxxx>
Date: Fri, 18 Aug 2017 13:40:54 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Mosquitto Experts,

As per the Changelog.txt , I understand that Mosquitto Broker supoprts TLS Session Resumption since v1.3. It seems to work, but with a hardcoded session ticket lifetime of only 5 minutes:

wget http://test.mosquitto.org/ssl/mosquitto.org.crt

openssl s_client -connect test.mosquitto.org:8883 -CAfile mosquitto.org.crt -sess_out ./ssl_s
    SSL handshake has read 2594 bytes and written 431 bytes
    TLS session ticket lifetime hint: 300 (seconds)
openssl s_client -connect test.mosquitto.org:8883 -CAfile mosquitto.org.crt -sess_in ./ssl_s
    Reused, SSL handshake has read 142 bytes and written 564 bytes
(15 minutes later)
openssl s_client -connect test.mosquitto.org:8883 -CAfile mosquitto.org.crt -sess_in ./ssl_s
    SSL handshake has read 2594 bytes and written 639 bytes

I'd like to run mosquitto on a resource-constrained device with lots of clients. I want to use TLS, but I cannot support full public key negotiation of all clients on a temporary connection loss / reconnect. So I't like to significantly increase session ticket lifetime.

My questions:

How can I increase session ticket lifetime in the mosquitto broker ?
How can I use Mosquitto / OpenSSL C API to leverage session tickets in an MQTT C client ?
Is there any way I could persist session tickets on the clients, so they would remain valid across reboot ?
What is the lifetime of the Session Ticket Master Secret on the Broker, and how could I change that lifetime?
Is there any way I could rotate the Session Ticket Master Secret on the Broker ? Ideally, I'd like to re-create session tickets every 12 hours and send the new tickets to all clients through the existing MQTT sessions.

In general, I can't quite see the benefit of session tickets with only 5 minutes lifetime, so I was wondering what the intended use-case was and if there's any documentation I have been missing.

Lots of questions ... thanks in advance for any hints!

Martin

Follow-Ups:
- Re: [mosquitto-dev] Mosquitto and TLS Session Resumption / session ticket lifetime ?
  - From: Roger Light

Prev by Date: Re: [mosquitto-dev] Silent install option?
Next by Date: Re: [mosquitto-dev] Mosquitto and TLS Session Resumption / session ticket lifetime ?
Previous by thread: [mosquitto-dev] Silent install option?
Next by thread: Re: [mosquitto-dev] Mosquitto and TLS Session Resumption / session ticket lifetime ?
Index(es):
- Date
- Thread

Breadcrumbs