Hi,
I'm using SSL_clear (0.9.6c) in order to reuse the SSL object. SSL_clear()
should make sure that the SSL Session will *not* be reused if
SSL_SENT_SHUTDOWN is *not* set.
Well, I faced some problems and I looked into the code:
* SSL_clear sets SSL structure state with SSL_ST_BEFORE. (The previous state
is saved in tmp variable, but is never in use).
* Later on it calls ssl_clear_bad_session, which suppose to check if session
can be reused.
* According to ssl_clear_bad_session, session is considered "bad" if
- Function did not receive a NULL structure, and
- Structure was not assigned with SSL_SENT_SHUTDOWN, and
- Structure was *not* set with SSL_ST_BEFORE (but flag is set
whenever SSL_clear is called ??)
Taken from ssl_lib.c, SSL_clear() is doing:
s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
......
if (ssl_clear_bad_session(s))
{
SSL_SESSION_free(s->session);
s->session=NULL;
}
Taken from ssl_sess.c, ssl_clear_bad_session(s) is doing:
if ((s->session != NULL) &&
!(s->shutdown & SSL_SENT_SHUTDOWN) &&
!(SSL_in_init(s) || SSL_in_before(s)))
{
SSL_CTX_remove_session(s->ctx,s->session);
return(1);
}
else
return(0);
}
Does it mean that the SSL session is never removed through SSL_clear, or am
I totally wrong ?
Yoram Zahavi
Gilian Technologies
"The last line of defense against hacker sabotage!"
www.gilian.com
Tel: 972-9-956-0036 x240
FAX: 972-9-956-5668
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
