On Thu, Nov 11, 1999 at 03:36:01PM +0000, Geoff Thorpe wrote:
[...]
> So, if SSL_CTX_set_session_id_context doesn't exist then that's probably
> because it hadn't been introduced at that point and isn't needed. I belive
> this issue only applies to session caches you implement yourself via
> callbacks - a default session cache is contained within each SSL_CTX and
> they are not shared unless you implement some mechanism to do it.
Correct, but note that SSL_CTX_set_session_id_context must be set
anyway in these cases. The rationale is that if we did not look at a
session context for objects that come from the internal session cache,
we'd likely see programs where much effort is put in implementing an
external cache but where this cache is totally disfunctional because
during testing only the internal cache was ever used, any items stored
in the external cache being refused. Always insisting on a session ID
context makes such errors obvious because you will never get a reused
session.
To check whether an SSL *ssl has a reused session, look at
SSL_session_reused(ssl). If you have a debug logfile, you definitely
should log this.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
