I’m not sure I fully understand client-side sessions in OpenSSL. My understanding is that on the server side, OpenSSL internally handles managing sessions. On the client side, they need to be handled by the application. This is true for both TLS 1.3 and TLS 1.2 (and prior), even though both protocols handle sessions slightly differently.
I’ll try to keep my questions to the simplest case and not get into how I store off the session objects and re-use them. But basically, I save each session object (2 of them per long handshake in this case) for client connections. I am able to successfully re-use them to initiate a short handshake. I have a remove callback set up that basically just prints something so I can see what OpenSSL is doing. After the SESSION object is used on the client side, I call SSL_SESSION_free() on that session. If I don’t use the client-side session, I also call SSL_SESSION_free() when the session times out and is no longer presumable, checking for that with SSL_SESSION_is_resumable(). Everything works fine, short handshakes are done when I expect them to be, etc. The confusing part is that given everything above, when I free the SSL_CTX associated with these connections/sessions, I see the remove callback function get called again for client-side sessions that I already called SSL_SESSION_free() on. Is this normal behavior? Is there something else I’m missing? Thanks in advance. Jason
