Hi, I have a question about a possible flaw in the implementation of OpenSSL's SSL-session caching, in particular in multi-process applications. (all my tests were done on openssl0.9.6b-g).
OpenSSL's session cache stores sessions on the heap, and as such will work properly on a single-process or multi-threaded applications. But in multi-process server applications (Apache is a good example, but not the only one) the cache needs to be shared between several processes. But as far as I can see, OpenSSL has no built-in support for that. Why? Did anybody think about, perhaps, using the MM library (http://www.ossp.org/pkg/lib/mm/) and allocating the session structures in shared memory? If this has been thought about and not done, then what was the reason? When trying to work around this lack, like Apache and many other applications do, it seems we encounter another problem: To get around the lack of inter-process session cache in OpenSSL, and to provide other sophisticated caching paradigms (e.g., see http://distcache.sourceforge.net/) applications can set their own "external session caching" by defining 3 callback functions (see SSL_CTX_sess_set_get_cb(3)). But what is completely unclear in the manual, and from several tests I've done, is how this external session cache interacts with the builtin session cache of up to 20,000 (by default) sessions per process. Typically, applications that use an external cache will want to disable internal caching completely, because in the best case it is a simple waste (e.g., in a 100-process apache, the chance of a client reaching the same process again is very small), and in the worst case a huge memory hog (e.g., 20,000 * 1K per client-authentication session results in 20 MB *per process* useless cache). To try to disable the internal caching, I tried several approaches that are very vaguely mentioned in the manuals, but none of them seems to be working correctly. Are these bugs or deliberate design decisions? If the latter, why?? 1) The SSL_CTX_sess_set_get_cb(3) manual page claims regarding the new_session_cb() callback that "If the callback returns 0, the session will be immediately removed again." I understood that as meaning that if the callback returns 0 it means the session was externally cached and should be removed from the internal cache immediately. Unfortunately, it appears that this is not happening. I checked this on both Apache (which returns 0 from the callback!) and on another application - and in both of them sessions were still cached in the internal cache, and the memory used by the internal cache grew and grew as more sessions came in (up to a default 20,000 session limit). Is this a bug? An unclear statement in the manual? If the latter, what did that statement actually try to say? 2) The maximum number sessions per internal cache defaults to 20,000, but can be changed with SSL_CTX_sess_set_cache_size(). When I tried setting this number to a low number (say, 3), indeed it seemed that sessions were being dropped from the internal cache after 3 connections. But another unexpected thing happened: the SSL_CTX_sess_set_remove_cb callback was also called, to remove sessions from the external cache! This looks like an error to me. After all, the fact that a session cannot fit the internal cache is no reason to remove it from the external cache - that should only be done when OpenSSL is sure this session has become invalid (e.g., an error or an expiration). Or maybe users of OpenSSL are encouraged to write a do-nothing remove callback, that refuses to remove sessions from the external cache for any reason but expiration? 3) SSL_CTX_set_session_cache_mode() is supposed to enable/disable session caching. It has a number of options, but seems to lack the one that I (and Apache, and probably a lot of other applications) need: to disable the internal cache but leave the external cache. Using the SSL_SESS_CACHE_OFF disables not only the internal cache, but also stops calling the callbacks for the external one. SSL_SESS_CACHE_SERVER enables both the internal and external caches. SSL_SESS_CACHE_NO_INTERNAL_LOOKUP seems to be closer to what I want, because it disables internal cache lookups, but strangely the manual claims that still "sessions are cached in the internal storage" - exactly the waste I was trying to avoid. Why not add another option SSL_SESS_CACHE_NO_INTERNAL, to disable stores in the internal cache? Thanks in advance, Nadav Har'El. -- Nadav Har'El | Wednesday, Oct 16 2002, 10 Heshvan 5763 [EMAIL PROTECTED] |----------------------------------------- Phone: +972-53-245868, ICQ 13349191 |Committee: A group of people that keeps http://nadav.harel.org.il |minutes and wastes hours. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
