Re: Access to cipher_id of sessions from external cache?

[Kyle Hamilton]

Steve is usually around, but I'm not sure he has the time to look into
all the complex questions.  Unfortunately, I don't know the guts nor
future development well enough to be able to answer your question.

If you would like to request the ability to get that information in a
stable, supported manner, the best place to ask is openssl-devel
and/or open a feature request.

-Kyle H

On 5/11/06, Victor Duchovni <[EMAIL PROTECTED]> wrote:

I am looking for a portable way to compare the cipher of a session in
the external cache with the cipherlist of an embryonic SSL object.

Sessions in the external cache are essentially keyed by the target IP
and port, and multiple logical destinations (email receiving domains)
may be served by the same TLS-enabled SMTP server.

In Postfix 2.3 the administrator will be able to specify separate
cipherlists for each destination domain, but sessions are not cached by
domain to avoid excessive session counts for hosts serving a large pool
of domains.

So before I attempt to re-use a session, I need to make sure that
its cipher is OK for the current destination (otherwise the handshake
breaks). I can peek under the hood to get the session's cipher number
(session->cipher_id) and compare with the cipher ids of the cipherlist
(also direct structure access), but this is an unpublished interface,
and I don't expect binary compatible behaviour for unpublished interfaces.

Is there a way to filter out incompatible sessions via published APIs?

Are new published APIs to allow cipher id comparisons like to materialize
in the future?

Right now, I may have to build the cipherlist spec into the cache lookup
key, this will work moderately well in the typical case when most domains
have the same cipherlist, and the set of override cipherlists is small.
It is never worse than putting the domain in the lookup key, because
there is at most one cipherlist per domain, but there can be many domains
per cipherlist. :-(

One last thing, I notice that when ask questions of this sort here,
they mostly go unanswered... Is this the wrong list? Does this belong
on openssl-devel or some other list rather than openssl-users?

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]