问题
I have a client (written in Java) which connects to an HTTPS server (the server written in Java also).
The client certificate and trusted certificates are stored in a PKI token. The client sends some HTTP requests to the server continuously. All things work fine. Now I want to force client (or server) to restart handshaking. In other words, I want to refresh SSL connection which causes to check server certificate periodically. Is there any way to do this? For example, is there any setting to do that periodically or any extension in the certificates which force server/client to restart handshaking?
I know about the session timeout. But this will not refresh the current connection(s). It will force only new connections to do handshaking again.
回答1:
There is nothing in the certificate which can be used to implement what you want. Instead that kind of behavior need to be implemented at the client or server: a server can close the current connection and refuse to reuse the previous session, thus causing a full handshake. Similar a client can close the existing connection and not reuse the session which again results in a full handshake.
In theory it would also be possible for either client or server to trigger a new handshake within the existing TCP connection. But it is common that endpoints limit the number of such renegotiations within the same TCP connection in order to protect against TLS renegotiation DoS attacks.
来源:https://stackoverflow.com/questions/55003835/force-client-or-server-to-restart-ssl-handshake-or-expire-ssl-session