Re: Using SSL_clear to reuse SSL object

Tue, 26 Feb 2002 22:32:59 -0800 

Lutz Jaenicke <[EMAIL PROTECTED]>:
> On Wed, Feb 20, 2002 at 12:29:03PM +0200, Yoram Zahavi wrote:

>> My server application is using SSL_clear to reuse the SSL object, instead of
>> allocating a new one on every new connection. On first connection the client
>> succeeds to connect the server, and later on to reuse the SSL sessions. As
>> far as I understand connections are closed properly, assigning both
>> SSL_RECEIVED_SHUTDOWN and SSL_SENT_SHUTDOWN masks, and closing the
>> underlying socket as well.
>> 
>> The Server starts facing problems when the Client tries to open a new
>> connection asking not to  reuse the previous session. The SSL object still
>> holds a valid Session (since previous connection was closed in the right
>> way), which is not removed by SSL_clear. As far as I understand, the Server
>> suppose to overcome such case and support the new connection by performing
>> full handshake.
[...]
> Hmm. This brings up the question, what SSL_clear() should actually do.
> I would consider SSL_clear() to be not much different from doing
> SSL_free()/SSL_new(), but obiously it is. Unfortunately EAY did not leave
> documentation about his intentions...

Note that SSL_clear() is called by the {ssl23,ssl2,ssl3}_{connect,accept}
functions, so it should not reset too much.  In particular, it should
not unconditionally remove the session.

Connections to a previously used SSL object with a valid session fail
not because the servers insists on that particular session, but
because the server is restricted to the protocol version of that
particular session (and thus cannot handle a backwards-compatible
client hello).  This is intentional: SSL_clear() will reset the
protocol version (method) only if no session is set.  This behaviour
makes a lot of sense for SSL client objects.  It is not particularly
useful for SSL server objects,  but it would be bad to give up
consistency.  If you really want to reuse an SSL server object,
use SSL_set_session(s, NULL) before calling SSL_clear(s).


-- 
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to