SSL Session ID guarantees.
843811Sep 9 2010 — edited Sep 9 2010I am planning to configure Tomcat to use JSSE to implement HTTPS. I plan to associate authentication information with SSL session IDs. I want to be sure that JSSE does not reuse SSL session IDs. I'm pretty sure it doesn't but would like to be able to refer to a spec that says it doesn't. The descriptions of the SSL protocol I have seen say the server gets to choose the session id. It would be good to know what guarantee of uniqueness over time JSSE guarantees. The JSSE reference guide [1] doesn't say. Is there somewhere else?
[1] http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLSession