On Wed, Jan 31, 2001 at 05:20:50PM +0100, Gil Peeters wrote:
> Noz I assumed (most probably incorrectly) that there is session caching
> built into OpenSSL. I notcied that the are SSL_CTX_set_cache_mode() and
> SSL_CTX_set_cache_size() etc, funtions, as well as the ability to do
> caching by yourself using the cache callbacks.
Caching is built in, but for protocol reasons the behaviour of client and
server is not symmetric.
client: must propose id of session to be reused
server: will reuse this session or open a new one with a new session id
> I use the same SSL_CTX for all my sessions and have called
> SSL_CTX_set_session_cache_mode() with SSL_SESS_CACHE_CLIENT to use client
> caching.
So far, so good.
> After completeing a write/read cycle on a SSL_SESSION what do I need to do
> with it to get it cached??
It is automatically cached, but not automatically reused.
> I do a SSL_SESSION_free to sloce the session, but I assume that that is no
> good.
No.
> I also tried SSL_set_connect_state (cause I saw that in the apps/s_client.c
> code)...
Not needed, when you call SSL_connect() explicitly.
> >> Are you aware that even a cached session is not automatically reused for
> >> the next SSL_connect() but that you have to call SSL_set_session()
> >> explicitly?
>
> No I was not aware, but where can I find some doco that would make me
> aware? Thanks for the tip.
For remarks about the documentation, see below.
> >> - extract the session before terminating and store it seperatly.
> >> I do use this approach for Postfix/TLS (not for the reason mentioned
> >> but for persistent storage).
>
> Do you mean the SSL_SESSION struct (gotten through SSL_get_session()
> function)?
Yes, I transfer the session data from internal format to ASN1 (which includes
copying the data), so that I can later reused it independent of the built-in
session cache. I store mine into a database.
> - Get the SSL_SESSION ref out of a connection with SSL_get_session().
> - store it away for later re-use
> - close the connection with SSL_shutdown()
That's how I do it.
> Then when I need to reconnect:
>
> - check that the connection goes to the same server
> - create a connection with SSL_new and set the fd with (SSL_set_fd())
> - set the session with SSL_set_session() using the SSL_SESSION ref I looked
> up
> - do my read and write
> - store it away for later re-use
> - close the connection with SSL_shutdown()
Looks good to me. If it is reused, you probably won't need to store it again.
> As the Doco and help is really bad and scarce (Not blaming anyone, just a
> fact) I can not make hide nor hare of what I am supposed to do and NOT
> supposed to do.
I am writing manual pages for the SSL_* API as time permits. This will give
a "reference manual" but not the "users' guide" we would also need.
I personally recommend my own Postfix/TLS patchkit, available from my
homepage, since this is what I know best.
It does include full featured server and client side session caching
(in an external database file).
So much for now,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
