10

In light of modern browsers phasing out security certificates signed using the SHA1 hash algorithm, we're busy replacing all our SHA1 certificates with SHA2. Generally we could simply replace certs for these primarily internal-use web apps in the evening or on the weekend, when there was little to no traffic.

What would happen if I were, unknowingly, in the middle of an encrypted session and the certificate for the domain was replaced?

To be on the safe-side, we advised our clients that they could assume users in mid-session during this change could see an interruption of their session, and possible loss of any data not yet stored in the database. If I were in mid-session during a cert replacement, could I assume that when I loaded the next page, after replacement of the cert, my browser would see a different signed cert than my session was established with, and cause the session to "freak out". I would expect all browsers would deal with this situation in a similar way, but please enlighten me if I am mistaken.

I have spent a fair amount of time searching for more specifics on how browsers would deal with this scenario, but I haven't had much luck finding general or technical information. I am really curious, and have decided to post this question in hopes of getting an answer which answers the Q concisely, with reference to some credible sources to validate.

Community
  • 1
Dallas
  • 394
  • 2
  • 4
  • 15

1 Answers1

8

...my browser would see a different signed cert than my session was established with, and cause the session to "freak out".

From a webmaster's perspective, and without getting into details on "how SSL works" (which would be better discussed over at Information Security)...

The session key would no longer match so either the server or client browser would abort the connection. The client browser would then make another request for any resources on the next page not received, which would open a new connection, re-establishing the SSL handshake, the certificate, the key exchanges and session key again (as discussed in brief near the bottom here).

Since the new SSL certificate would be issued to the same domain, users likely wouldn't notice anything since only the certificate would change (i.e., the green lock will still be displayed), which users typically do not view anyway, especially between pages on the same site.

What you might not be considering however is that when you install the new SSL certificate, you're going to have to configure and restart your server anyway, so sessions would be closed then regardless and browsers wouldn't receive anything...

Therefore, I would suggest temporarily redirecting all traffic to a "Maintenance" page using a 302 redirect, with a notification ahead of time posted on your site stating the time the maintenance will occur, and for how long the site will be unavailable.

An alternative to the redirect would be to send a 503 Service Unavailable HTTP server response code with a Retry-After HTTP header response field to indicate when the server would be available again.

Last but not least, if you have more than one server for the front-end of the site, you could install the certificate on another server and redirect new connections to that while you update the other server(s). You can check for existing connections in Apache here and IIS here to help with that, if you don't already use a fail-safe or load-balancing setup.

Community
  • 1
dan
  • 15,153
  • 11
  • 46
  • 52