On Wed, Mar 06, 2013 at 08:37:06PM +0100, Peter Sand wrote:
> I currently can save the SSL_SESSION in RAM and reuse it as SSL Session ID
> when reconnecting.
> The idea is to save it in Flash and reuse after power on again.
>
> I've looked at saving the Session like it is done in
> s_client -sess_out arg / -sess_in arg
> but a lot of functions to serialize SSL_SESSION
> ssl.h : PEM_read_bio_SSL_SESSION()
> ssl.h : PEM_write_bio_SSL_SESSION()
> are unfortuneately stubbed way below.
> And I have no filesystem...
All you need is i2d_SSL_SESSION and d2i_SSL_SESSION, so no PEM
routines required. Just store the result of i2d in RAM and after
reboot run d2i and re-use the resulting session.
The session object stores the peer certificate so be prepared for
up to 16K of data (though in practice 1K is closer).
This said, what's wrong with not saving the session across reboot?
Just negotiate a new one. Saving session keys in non-volatile memory
poses a greater risk of compromise.
> 1. Am I correct to observe that I have to save the whole SSL_SESSION to be
> able to use the SSL Session ID?
Yes.
> 2. Is my assumption correct: Would it be enough to save the TLS Ticket IDs
> length & data?
IIRC you don't need to explicitly manage session tickets they're
part of the serialized session.
> 4. Any way to avoid saving the whole SSL_SESSION?
Save the whole session.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
