Starting with OpenSSL 0.9.8f, ssl3_get_client_hello() no longer tests whether
the client proposed a
previous session_id before trying to process it. In previous releases, a new
session was always
created if no previous session was proposed (i.e. if j==0 at ssl\s3_srvr.c:746)
ssl3_get_client_hello() now calls ssl_get_prev_session(), which calls the
user's get_session_cb()
function if one was registered via SSL_CTX_sess_set_get_cb().
When no previous session_id is proposed, an empty session_id and a session_id
length of zero is
passed to get_session_cb().
This causes problems with existing callbacks. For example, Apache 2.2 will
report:
[error] unusably short session_id provided (0 bytes)
for every new session when it is used with OpenSSL 0.9.8f.
This is contrary to the docs at
http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_get_cb.html which
say "The get_session_cb() is only called on SSL/TLS servers with the session id
proposed by the client."
-tom-
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
