path: root/manual/html_node/Session-resumption.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.4.9 of GnuTLS.

Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.  A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.0, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.4.9: Session resumption</title>

<meta name="description" content="GnuTLS 3.4.9: Session resumption">
<meta name="keywords" content="GnuTLS 3.4.9: Session resumption">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Advanced-topics.html#Advanced-topics" rel="up" title="Advanced topics">
<link href="Certificate-verification.html#Certificate-verification" rel="next" title="Certificate verification">
<link href="Advanced-topics.html#Advanced-topics" rel="prev" title="Advanced topics">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space: nowrap}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: serif; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body { 
	margin: 2%;
	padding: 0 5%;
	background: #ffffff;
}
h1,h2,h3,h4,h5 {
    font-weight: bold;
    padding: 5px 5px 5px 5px;
    background-color: #c2e0ff;
    color: #336699;
}
h1 {
    padding: 2em 2em 2em 5%;
    color: white;
    background: #336699;
    text-align: center;
    letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
  margin: 0 5%;
  padding: 0.5em;
}
pre.example,pre.verbatim {
  padding-bottom: 1em;

  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 1px 1px 1px 5px;
  margin: 1em auto;
  width: 90%;
}

div.node {
  margin: 0 -5% 0 -2%;
  padding: 0.5em 0.5em;
  margin-top: 0.5em;
  margin-bottom: 0.5em;
  font-weight: bold;
}
dd, li {
  padding-top: 0.1em;
  padding-bottom: 0.1em;
}
div.float {

  margin-bottom: 0.5em;
  text-align: center;
}

table {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  border-spacing: 7px;
  width: 50%;
}

th {
  padding: 0;
  color: #336699;
  background-color: #c2e0ff;
  border: solid #000000;
  border-width: 0px;
  margin: 1em auto;
  text-align: center;
  margin-left:auto;
  margin-right:auto;
}

td {
  padding: 0;
  border: solid #000000;
  background-color: #f0faff;
  border-width: 0px;
  margin: 1em auto;
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  padding-left: 1em;
}

dl {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  width: 50%;

  padding-left: 1em;
  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 5px 1px 1px 1px;
  margin: 1em auto;
}

-->
</style>


</head>

<body lang="en">
<a name="Session-resumption"></a>
<div class="header">
<p>
Next: <a href="Certificate-verification.html#Certificate-verification" accesskey="n" rel="next">Certificate verification</a>, Up: <a href="Advanced-topics.html#Advanced-topics" accesskey="u" rel="up">Advanced topics</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Session-resumption-1"></a>
<h4 class="subsection">6.12.1 Session resumption</h4>
<a name="index-resuming-sessions-1"></a>
<a name="index-session-resumption-1"></a>

<a name="Client-side-1"></a>
<h4 class="subsubheading">Client side</h4>

<p>To reduce time and roundtrips spent in a handshake the client can   
request session resumption from a server that previously shared
a session with the client. For that the client has to retrieve and store
the session parameters. Before establishing a new session to the same 
server the parameters must be re-associated with the GnuTLS session
using <a href="Core-TLS-API.html#gnutls_005fsession_005fset_005fdata">gnutls_session_set_data</a>.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fsession_005fget_005fdata2">gnutls_session_get_data2</a> (gnutls_session_t <var>session</var>, gnutls_datum_t * <var>data</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fsession_005fget_005fid2">gnutls_session_get_id2</a> (gnutls_session_t <var>session</var>, gnutls_datum_t * <var>session_id</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fsession_005fset_005fdata">gnutls_session_set_data</a> (gnutls_session_t <var>session</var>, const void * <var>session_data</var>, size_t <var>session_data_size</var>)</code></dt>
</dl>

<p>Keep in mind that sessions will be expired after some time, depending
on the server, and a server may choose not to resume a session
even when requested to.  The expiration is to prevent temporal session keys
from becoming long-term keys. Also note that as a client you must enable, 
using the priority functions, at least the algorithms used in the last session.
</p>




<dl>
<dt><a name="index-gnutls_005fsession_005fis_005fresumed"></a>Function: <em>int</em> <strong>gnutls_session_is_resumed</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
<dd><p><var>session</var>: is a <code>gnutls_session_t</code>  type.
</p>
<p>Check whether session is resumed or not.
</p>
<p><strong>Returns:</strong> non zero if this session is resumed, or a zero if this is
a new session.
</p></dd></dl>

<a name="Server-side-1"></a>
<h4 class="subsubheading">Server side</h4>

<p>In order to support resumption a server can store
the session security parameters in a local database or by using session
tickets (see <a href="Session-tickets.html#Session-tickets">Session tickets</a>) to delegate storage to the client. Because
session tickets might not be supported by all clients, servers
could combine the two methods.
</p>
<p>A storing server needs to specify callback functions to store, retrieve and delete session data. These can be
registered with the functions below. The stored sessions in the database can be checked using <a href="Core-TLS-API.html#gnutls_005fdb_005fcheck_005fentry">gnutls_db_check_entry</a>
for expiration.
</p>
<dl compact="compact">
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fdb_005fset_005fretrieve_005ffunction">gnutls_db_set_retrieve_function</a> (gnutls_session_t <var>session</var>, gnutls_db_retr_func <var>retr_func</var>)</code></dt>
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fdb_005fset_005fstore_005ffunction">gnutls_db_set_store_function</a> (gnutls_session_t <var>session</var>, gnutls_db_store_func <var>store_func</var>)</code></dt>
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fdb_005fset_005fptr">gnutls_db_set_ptr</a> (gnutls_session_t <var>session</var>, void * <var>ptr</var>)</code></dt>
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fdb_005fset_005fremove_005ffunction">gnutls_db_set_remove_function</a> (gnutls_session_t <var>session</var>, gnutls_db_remove_func <var>rem_func</var>)</code></dt>
</dl>
<dl compact="compact">
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fdb_005fcheck_005fentry">gnutls_db_check_entry</a> (gnutls_session_t <var>session</var>, gnutls_datum_t <var>session_entry</var>)</code></dt>
</dl>

<p>A server utilizing tickets should generate ticket encryption
and authentication keys using <a href="Core-TLS-API.html#gnutls_005fsession_005fticket_005fkey_005fgenerate">gnutls_session_ticket_key_generate</a>.
Those keys should be associated with the GnuTLS session using
<a href="Core-TLS-API.html#gnutls_005fsession_005fticket_005fenable_005fserver">gnutls_session_ticket_enable_server</a>, and should be rotated regularly
(e.g., every few hours), to prevent them from becoming long-term keys which
if revealed could be used to decrypt all previous sessions.
</p>




<dl>
<dt><a name="index-gnutls_005fsession_005fticket_005fenable_005fserver"></a>Function: <em>int</em> <strong>gnutls_session_ticket_enable_server</strong> <em>(gnutls_session_t <var>session</var>, const gnutls_datum_t * <var>key</var>)</em></dt>
<dd><p><var>session</var>: is a <code>gnutls_session_t</code>  type.
</p>
<p><var>key</var>: key to encrypt session parameters.
</p>
<p>Request that the server should attempt session resumption using
SessionTicket.   <code>key</code> must be initialized with
<code>gnutls_session_ticket_key_generate()</code> , and should be overwritten
using <code>gnutls_memset()</code>  before being released.
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code>  (0) is returned, or an
error code.
</p>
<p><strong>Since:</strong> 2.10.0
</p></dd></dl>




<dl>
<dt><a name="index-gnutls_005fsession_005fticket_005fkey_005fgenerate"></a>Function: <em>int</em> <strong>gnutls_session_ticket_key_generate</strong> <em>(gnutls_datum_t * <var>key</var>)</em></dt>
<dd><p><var>key</var>: is a pointer to a <code>gnutls_datum_t</code>  which will contain a newly
created key.
</p>
<p>Generate a random key to encrypt security parameters within
SessionTicket.
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code>  (0) is returned, or an
error code.
</p>
<p><strong>Since:</strong> 2.10.0
</p></dd></dl>




<dl>
<dt><a name="index-gnutls_005fsession_005fresumption_005frequested"></a>Function: <em>int</em> <strong>gnutls_session_resumption_requested</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
<dd><p><var>session</var>: is a <code>gnutls_session_t</code>  type.
</p>
<p>Check whether the client has asked for session resumption.
This function is valid only on server side.
</p>
<p><strong>Returns:</strong> non zero if session resumption was asked, or a zero if not.
</p></dd></dl>

<p>A server enabling both session tickets and a storage for session data
would use session tickets when clients support it and the storage otherwise.
</p>
<hr>
<div class="header">
<p>
Next: <a href="Certificate-verification.html#Certificate-verification" accesskey="n" rel="next">Certificate verification</a>, Up: <a href="Advanced-topics.html#Advanced-topics" accesskey="u" rel="up">Advanced topics</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>



</body>
</html>