Re: Empty Session_id in SSL session cache with openssl 0.9.8j and 0.9.8k

Tue, 05 May 2009 09:36:50 -0700 

On Tue, May 05, 2009, Anil Tambe wrote:

> Hi,
> 
>        Below are the steps to reproduce the issue with openssl 0.9.8k
> 
> Server ::
> 
> ./openssl s_server -cert server.pem
> 
> 
>  Client ::
> 
> ./openssl s_client -debug -msg -state -sess_out /tmp/session.out
> 
>  In the above case when we write the session to session.out , the output
> shows the session id :
> 
>  >> Abstract from output
> 
>  SSL-Session:
> 
>     Protocol  : TLSv1
> 
>     Cipher    : DHE-RSA-AES256-SHA
> 
>     Session-ID:
> C4AE767399AF791146D7384B70E2F7949C9FF555BD1BA26A2CE59BECD6ED017F
> 
>     Session-ID-ctx:
> 
>     Master-Key:
> D2F2CE13F3AD4552E23D8B042DC3AB92322A0E778375C1047D090A9DEA63C343D2558F6B6DDBD1611F326FE5E3AA5774
> 
> 
> 
> Now when we try to read from session.out  , the session id is empty ..
> 
> ./openssl s_client -debug -msg -state -sess_in /tmp/session.out
> 
> >> Abstract from output
> 
> SSL-Session:
> 
>     Protocol  : TLSv1
> 
>     Cipher    : DHE-RSA-AES256-SHA
> 
>     Session-ID:
> 
>     Session-ID-ctx:
> 
>     Master-Key:
> FCBF8B9102F1BD020FA0969EE6243F62F7C700F6B701B6A19C4CD57F5BFF0E2FA58B96846EC64FD25FF901C12489362D
> 
>     Key-Arg   : None
> 
> 
> The above behavior ( empty session id )  is found with  i.e openssl 0.9.8j
> and openssl 0.9.8k.  i verified with other version 0.9.8g , 0.9.8h , 0.9.8i
> works fine.
> 
> It seems server side is not sending the session id as part of the initial
> hello, and as a result, the session caching is not working. When there is no
> session id, client simply discards that session and not cache it.
> 
> Does anybody encounter the issue previously , any thoughts ?
> 

The versions of OpenSSL you mention support stateless session resumption for
which no server side session cache is needed and the session ID is empty. 

If the server doesn't support stateless session resumption then normal
stateful sessions are used as before.

If you want to force stateful sessions use the -no_ticket option.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to