We have an application for which we are using SSL enabled clients and
servers(our own server not a web server). I have been trying to get the
session key reuse going for the past several days. It appears that the
session key reuse and timeouts work just fine if I hang on to the SSL
structure on the server side which was created by the previous
connection but this causes the server to leak memory. If I call SSL_free
on the server once the exchange is completed it looks like the session
is removed from the hash table in the SSL_CTX. Setting different caching
options on the server side doesn't seem to make a diffference and
looking at the SSL_free code I can see why this is happening because it
doesn't check any of the cache options. I have tried various other
tricks such as incrementing the reference count on the session and
adding it back to the SSL_CTX using SSL_CTX_add_session(which I
shouldn't be doing) and this makes it work but I am seeing memory leaks
on the server. Unlike Apache, I don't have a need to pass the session
around between multiple server processes so I don't need an external
caching mechanism. Is there any magic needed to make this work. The code
invoked in the initialization part of my server is shown below:
SSL_load_error_strings();
SSL_library_init();
server_ctx = SSL_CTX_new(SSLv3_server_method());
SSL_CTX_set_options(server_ctx, SSL_OP_ALL);
/* set timeout */
if(session_timeout > 0)
SSL_CTX_set_timeout(server_ctx, session_timeout);
/* Load the CA certificate(s) */
if (CA_cert) {
if(!SSL_CTX_load_verify_locations(server_ctx, CA_cert, NULL)) {
tracePrintf(&error_trace, ("Unable to load CA certificate %s\n",
CA_cert));
return SALRCODE_ERROR_LOADING_CA_CERTIFICATE;
}
}
/* Load the server certificate and matching private key. */
if (cert_location && private_key_location) {
if (!SSL_CTX_use_certificate_file(server_ctx, cert_location,
SSL_FILETYPE_PEM)) {
tracePrintf(&error_trace, ("Unable to load server certificate %s\n",
cert_location));
return SALRCODE_ERROR_LOADING_CERTIFICATE;
}
if (!SSL_CTX_use_PrivateKey_file(server_ctx, private_key_location,
SSL_FILETYPE_PEM)) {
tracePrintf(&error_trace, ("Unable to load server private key %s\n",
private_key_location));
return SALRCODE_ERROR_LOADING_PRIVATE_KEY;
}
if (!SSL_CTX_check_private_key(server_ctx)) {
tracePrintf(&error_trace, ("Server certificate %s and private key %s
don't match\n",
cert_location, private_key_location));
return SALRCODE_ERROR_CERTIFICATE_PRIVATEKEY_CHECK;
}
}
I have tried the following options on the accept side:
SSL_set_accept_state(ssl);
i = SSL_do_handshake(ssl);
and
SSL_accept(ssl)
and neither one changes the outcome. Removing SSL_free from the server
disconnect sequence does make it work although it is not an option for
production code(due to memory leaks).
Any ideas/help are appreciated.
- Raghu
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
