Hi there,
On Tue, 11 Jul 2000, Lutz Jaenicke wrote:
> On Mon, Jul 10, 2000 at 07:50:06PM +0200, [EMAIL PROTECTED] wrote:
> > I hope you will help me again:
> > How do I reuse a SSL-Session on the client-side?
> > I'm writing a Http-SSL-Client based on Open-SSL.
> > I do a simple socket connect, then use SSL-connect on the socket.
> > This is where (in my opinion) Open-SSL and the Webserver are creating a
>SSL-Session.
> > On webserver-side this is taking a lot of cpu-power.
> > After a request, the webserver shuts down the connection.
> > So I do a new socket-connect.
> > An little example of code is at the end of this message.
> > My Question is: What will I have to do to reuse the previously created SSL-Session?
>
> You have to extract the session on the client side and manually re-load it,
> as the SSL-client-engine has no idea to which server it is connected.
> You get the session with SSL_get_session(). Then later, just before the
> SSL_connect, you set the session with SSL_set_session(ssl, old_session).
>
> Remark: I "get" the sessions and save them into an external database,
> later reload them from the database, so I don't have the following problem:
> SSL_get_session() does not create a copy of the session for you, just a
> pointer to the place where the session is stored. Hence, the session might be
> (re-)moved inside the SSL-engine and the SSL_set_session() might fail.
> You must hence create your own copy of the session to avoid this problem,
> check out i2d_SSL_SESSION() for that.
Or instead of SSL_get_session(), you can use SSL_get1_session() which
obtains a reference count to the SSL_SESSION ... hence the SSL framework
will not remove the session, only subtract its own reference from the
session, the session itself will survive until we free our own reference
too. This is probably the easiest way to operate, except that one will
need to have a "cache"'d session for each of the servers it might connect
to (or at least some way of matching stored sessions to the server they
came from). Anyway, in the language of the original psuedo-code, here's
how it can work when connecting only to one server (generalising to
multiple servers is an exercise for the reader, who hopefully has a better
idea of their requirements than I do).
SSL_SESSION *cached = NULL;
while(TRUE) {
/* Create a new SSL ready to connect with */
if(cached)
/* fine, reuse the existing session (if possible) - this will
* still negotiate a new session if the server can't resume
* the "cached" one. */
SSL_set_session(the_ssl, cached);
/* Go about the handshake and other pleasantries */
if(SSL_is_init_finished(the_ssl)) {
/* OK, we have a functioning SSL session again, check if we have
* to release our previous reference before caching the session
* that is *now* in use. */
if(cached)
SSL_SESSION_free(cached);
/* Steal the potentially newer session from the SSL */
cached = SSL_get1_session(the_ssl);
}
/* etc etc etc ... */
if(about_to_bail_out_without_wanting_memory_leaks) {
if(cached)
SSL_SESSION_free(cached);
return (return_code);
}
/* otherwise loop back to the beginning ... */
}
Cheers,
Geoff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
