Thanks for the explanation, I liked the SSL_set_session(s, NULL) usage. Any reasons for calling it *before* SSL_clear(s) ? I think you better call it after the call to SSL_clear(s). Otherwise, the current session is already freed by SSL_set_session(s, NULL), and cannot be referenced by SSL_clear(s) for caching considerations.
Yoram. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 8:02 AM To: [EMAIL PROTECTED] Cc: Lutz Jaenicke; [EMAIL PROTECTED] Subject: Re: Using SSL_clear to reuse SSL object Lutz Jaenicke <[EMAIL PROTECTED]>: > On Wed, Feb 20, 2002 at 12:29:03PM +0200, Yoram Zahavi wrote: >> My server application is using SSL_clear to reuse the SSL object, instead of >> allocating a new one on every new connection. On first connection the client >> succeeds to connect the server, and later on to reuse the SSL sessions. As >> far as I understand connections are closed properly, assigning both >> SSL_RECEIVED_SHUTDOWN and SSL_SENT_SHUTDOWN masks, and closing the >> underlying socket as well. >> >> The Server starts facing problems when the Client tries to open a new >> connection asking not to reuse the previous session. The SSL object still >> holds a valid Session (since previous connection was closed in the right >> way), which is not removed by SSL_clear. As far as I understand, the Server >> suppose to overcome such case and support the new connection by performing >> full handshake. [...] > Hmm. This brings up the question, what SSL_clear() should actually do. > I would consider SSL_clear() to be not much different from doing > SSL_free()/SSL_new(), but obiously it is. Unfortunately EAY did not leave > documentation about his intentions... Note that SSL_clear() is called by the {ssl23,ssl2,ssl3}_{connect,accept} functions, so it should not reset too much. In particular, it should not unconditionally remove the session. Connections to a previously used SSL object with a valid session fail not because the servers insists on that particular session, but because the server is restricted to the protocol version of that particular session (and thus cannot handle a backwards-compatible client hello). This is intentional: SSL_clear() will reset the protocol version (method) only if no session is set. This behaviour makes a lot of sense for SSL client objects. It is not particularly useful for SSL server objects, but it would be bad to give up consistency. If you really want to reuse an SSL server object, use SSL_set_session(s, NULL) before calling SSL_clear(s). -- Bodo M�ller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
