On Wed, Mar 25, 2015 at 03:32:08PM +0000, Dr. Stephen Henson wrote:
> > I am trying to implement server side caching support for sessions by
> > using callback functions. However, the callback functions are never
> > being called, even though connection happens successfully without
> > session resumption. For your reference some of the sample code I am
> > pasting below:
> >
> > ssl_session_ctx_id = 1;
> > SSL_CTX_set_session_id_context (c, (void *)&ssl_session_ctx_id, sizeof
> > (ssl_session_ctx_id));
> > SSL_CTX_set_session_cache_mode(c, SSL_SESS_CACHE_SERVER |
> > SSL_SESS_CACHE_NO_INTERNAL);
> > SSL_CTX_sess_set_new_cb (c, custom_new_session_cb );
> > SSL_CTX_sess_set_remove_cb (c, custom_remove_session_cb );
> > SSL_CTX_sess_set_get_cb (c, custom_get_session_cb);
> >
> >
> > Can somebody kindly help me as to what I am missing out here? What
> > could be the reason behind the callback functions not being called?
>
> The client could be using session tickets which don't use a session cache. You
> can try disabling them by setting SSL_OP_NO_TICKET.
I would NOT recommend disabling session tickets, they are better
than server-side caches.
That said, Postfix supports both, ahd the callbacks are called. See lines
624-669 of:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c
--
Viktor.
line 165:
static const char server_session_id_context[] = "Postfix/TLS";
lines 624-669:
if (cachable || ticketable || props->set_sessid) {
/*
* Initialize the session cache.
*
* With a large number of concurrent smtpd(8) processes, it is not a
* good idea to cache multiple large session objects in each process.
* We set the internal cache size to 1, and don't register a
* "remove_cb" so as to avoid deleting good sessions from the
* external cache prematurely (when the internal cache is full,
* OpenSSL removes sessions from the external cache also)!
*
* This makes SSL_CTX_remove_session() not useful for flushing broken
* sessions from the external cache, so we must delete them directly
* (not via a callback).
*
* Set a session id context to identify to what type of server process
* created a session. In our case, the context is simply the name of
* the mail system: "Postfix/TLS".
*/
SSL_CTX_sess_set_cache_size(server_ctx, 1);
SSL_CTX_set_session_id_context(server_ctx,
(void *) &server_session_id_context,
sizeof(server_session_id_context));
SSL_CTX_set_session_cache_mode(server_ctx,
SSL_SESS_CACHE_SERVER |
SSL_SESS_CACHE_NO_AUTO_CLEAR);
if (cachable) {
app_ctx->cache_type = mystrdup(props->cache_type);
SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb);
SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
}
/*
* OpenSSL ignores timed-out sessions. We need to set the internal
* cache timeout at least as high as the external cache timeout. This
* applies even if no internal cache is used. We set the session
* lifetime to twice the cache lifetime, which is also the issuing
* and retired key validation lifetime of session tickets keys. This
* way a session always lasts longer than the server's ability to
* decrypt its session ticket. Otherwise, a bug in OpenSSL may fail
* to re-issue tickets when sessions decrypt, but are expired.
*/
SSL_CTX_set_timeout(server_ctx, 2 * scache_timeout);
}
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
