1 Topic by waigor (edited by waigor 2020-06-25 17:41:06)

  • Registered: 2019-10-06
  • Posts: 8

Topic: New certificate not come in effect immediately

Hi there,

I am using WolfSSL server for my HTTPS server. After initialise the HTTPS server, at some point, I want to reload a new certificate and key using wolfSSL_CTX_use_certificate_file() and wolfSSL_CTX_use_PrivateKey_file(). However, if I use chrome the firefox, the new certificate will not come in effect immediately. I have to wait for about 5-10 minutes for them to come in effect.

I trace it down on wireshark, I found out that the certificate is only update/exchange about every 500 seconds, even they have SSL handshakes multiple times
(see the attachment)

Thats the same for firefox and chrome, but for IE11, every handshake they will exchange the certificate.

Is this something to do at our server side or purely a browser problem?

Thanks

Post's attachments

firefoxcertificate.png
firefoxcertificate.png 115.84 kb, 4 downloads since 2020-06-26 

You don't have the permssions to download the attachments of this post.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: New certificate not come in effect immediately

Waigor,

This is technically a "both server and client" issue.

- The client (browser) is to blame for requesting to resume a session rather than doing a full handshake.

- The server is to blame because it allows the client to resume old sessions instead of doing a new handshake. When session caching is enabled, clients are allowed to resume sessions up until that session has expired based on the session timeout or until the session cache becomes so full that older sessions get replaced by newer sessions and then clients attempting to resume those older sessions have to perform a full handshake.

This can be changed by disabling session resumption on the server side (but can lead to decreased performance as a result). There may also be a way to disable session resumptions in chrome and firefox to get the same behavior as IE11 but I am not familiar with how to do that.

Warm Regards,

K

Kaleb J. Himes's Website

Share