Hi, I noticed that SSL_CTX_free() takes all the sessions in the given CTX's internal session cache, and also removes them from the external session cache (i.e., calls the delete-session callback).
Why was this done? I can't think of a security or a logical explanation to this, because these sessions in the external cache are still valid, and other contexts or processes might still want to reuse them! Looking at the SSL_CTX_free() code (ssl/ssl_lib.c), I see that SSL_CTX_flush_sessions(a,0) is called - and from the manual page of that function I understand that what this means is to mark sessions older than time 0 (i.e., all sessions) as *expired*, and all these sessions are also deleted from the external session cache. I don't understand why this kind of behavior should be part of SSL_CTX_free(). By the way, it's relatively easy for me to overcome this behavior by cancelling the delete-session callback before calling SSL_CTX_free() - but I was wondering why I have to do that... -- Nadav Har'El | Wednesday, Mar 26 2003, 23 Adar II 5763 [EMAIL PROTECTED] |----------------------------------------- Phone: +972-53-245868, ICQ 13349191 |The human mind is like a parachute - it http://nadav.harel.org.il |functions better when it is open. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
