Lutz,
Thanks for the response.
I read the post after I posted it too (Around midnight and my pillow was
calling) and could not understand what I had written myself!!
The point is this:
I am writing a client side application which connects to a defined number
of servers to perform a kind of user validation. These Servers are
WebSphere Servers.
In My Test Env I have an SSL Server, which is a part of an IBM WebSeal
installation. It has an HTTPS server. I know from tests using a JAVA JCE
(from IAIK in Austria) Package that I have to turn on a certain
'workaround' when connecting to this server, to sucessfully re-use SSL
Sessions. That flag in the JAVA JCE Package is described as:
> "cache terminated sessions: A boolean value determining whether or not
> to resume sessions that have not been properly shutdown. Per spec this
> should not be done, this exists only to improve performance when
> communicating with bad server implementations. defqult: false"
If I di not turn this flag on, my SSL Sessions are not cached.
Noz I assumed (most probably incorrectly) that there is session caching
built into OpenSSL. I notcied that the are SSL_CTX_set_cache_mode() and
SSL_CTX_set_cache_size() etc, funtions, as well as the ability to do
caching by yourself using the cache callbacks.
I looged at the apps/openssl code (s_client.c) and saw how the -reconnect
option worked, as this re-used the same session numbers.
I use the same SSL_CTX for all my sessions and have called
SSL_CTX_set_session_cache_mode() with SSL_SESS_CACHE_CLIENT to use client
caching.
But after that I am not sure what I need to do.
After completeing a write/read cycle on a SSL_SESSION what do I need to do
with it to get it cached??
I do a SSL_SESSION_free to sloce the session, but I assume that that is no
good.
I also tried SSL_set_connect_state (cause I saw that in the apps/s_client.c
code)...
>> Are you aware that even a cached session is not automatically reused for
>> the next SSL_connect() but that you have to call SSL_set_session()
>> explicitly?
No I was not aware, but where can I find some doco that would make me
aware? Thanks for the tip.
>> - extract the session before terminating and store it seperatly.
>> I do use this approach for Postfix/TLS (not for the reason mentioned
>> but for persistent storage).
Do you mean the SSL_SESSION struct (gotten through SSL_get_session()
function)?
- the "correct" closing happens when SSL_shutdown() is being called.
The necessary flag is set whether or not SSL_shutdown() could notify
the peer or not, so the behaviour of the peer should not matter.
(I just cross checked in the source code, did not verify it myself,
but it should work this way :-)
So as far as I understand, I need to:
- Get the SSL_SESSION ref out of a connection with SSL_get_session().
- store it away for later re-use
- close the connection with SSL_shutdown()
Then when I need to reconnect:
- check that the connection goes to the same server
- create a connection with SSL_new and set the fd with (SSL_set_fd())
- set the session with SSL_set_session() using the SSL_SESSION ref I looked
up
- do my read and write
- store it away for later re-use
- close the connection with SSL_shutdown()
I hope that this is correct.
As the Doco and help is really bad and scarce (Not blaming anyone, just a
fact) I can not make hide nor hare of what I am supposed to do and NOT
supposed to do.
Maybe someone here can point me to a good reference somewhere.
--
================================================
Gil Peeters
BVBA CANCAS I.T.
Willemsstraat 2
3000 Leuven
Belgium
================================================
JAVA and Distributed Object Specialists
================================================
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
