Thus spake Lutz Jaenicke ([EMAIL PROTECTED]): > I know it has been a long time, but I have just continued to analyze > your submission. > I have not yet applied your patch. With respect to the SSL_SESSION_free() > problem, it would only cure the symptoms of incorrect SSL_SESSION_free() > use. It is not just the session list inside the SSL_CTX object; if a session > is used by an SSL object we would also find a dangling pointer that we > could not catch. > The point should not be to cover for incorrect use of SSL_SESSION_free() > and "magically" remove the session from the cache list, but to catch > this as an error... Unfortunately SSL_SESSION_free() does not return > diagnostic information (until now), so no application written with today's > API would catch the error message...
I don't claim to understand this code well enough to contradict you. It would certainly be an improvement to have SSL_SESSION_free() detect this error condition and complain loudly when it occurs. I also agree that an interface change is probably worthwhile to do better error reporting and recovery when this occurs. > By now, I have updated the manual pages to reflect this problem and wait > for more input with respect to this problem. Thanks for following up on this. -- Chris ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
