Ex: Re: : CAS proxy validation failure - Configured TLS trust engine was not used

Paul B. Henson henson at cpp.edu
Wed Aug 19 08:06:11 UTC 2020

> From: Paul B. Henson
> Sent: Tuesday, August 18, 2020 10:05 PM
> However, after enabling debugging at the JSSE layer and reviewing some
> packet captures of successful and failed attempts, I think I tracked it down. If I
> disable SSL session caching and SSL session tickets on the server side it works
> every time.

If it's not possible to force the trust engine to run when resuming a cached SSL session, I guess the question is whether or not the trust engine configuration/criteria could change between the first call which processes a full handshake and a subsequent call which reuses an existing session? It seems like it could, the call to configure the criteria occurs on the connections which reuse an existing SSL session, then those criteria are not reevaluated. If it couldn't, you might be able to note that the session was reused and the validity confirmed on a previous connection and not abort. But I'm guessing if there's no way to make the trust engine run every time regardless of cached session, session caching will have to be disabled on the client…

More information about the users mailing list