Re: [REPOST] internal SSL session cache question(s)
On Tue, Sep 14, 1999 at 12:22:56PM -0700, [EMAIL PROTECTED] wrote: [...] This is all theory at this point, but it seems as though there is a problem with SSL_set_timeout(...) (or my use of it). What functions and macros do you use? Usually you should not need SSL_set_timeout; what you need is SSL_CTX_set_timeout on the SSL_CTX before any sessions are created. SSL_set_timeout on an SSL_SESSION does not affect the copy of that session that may be in an external cache. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
On Tue, Sep 14, 1999 at 10:25:55AM +0100, Ben Laurie wrote: [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Bodo Moeller) writes: I have not looked too closesly at this issue, but shouldn't this part of ssl_get_prev_session (which is exectuted right before the succesful return) appropriately take care of it? Hmm... The behavior is a bit more like what I would expect if this is moved up so that it is invoked /before/ the get_session_cb? I'll have to look into this a bit more closely. In the case of an external session cache, it is its responsibility to enforce whatever aging policy it has. You have to implement your own policy for getting rid of stale entries, but I don't think the SSL library will continue to actually use them when the timeout has expired. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Bodo Moeller) writes: I have not looked too closesly at this issue, but shouldn't this part of ssl_get_prev_session (which is exectuted right before the succesful return) appropriately take care of it? Hmm... The behavior is a bit more like what I would expect if this is moved up so that it is invoked /before/ the get_session_cb? I'll have to look into this a bit more closely. In the case of an external session cache, it is its responsibility to enforce whatever aging policy it has. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
Bodo Moeller [EMAIL PROTECTED] writes: On Tue, Sep 14, 1999 at 12:22:56PM -0700, [EMAIL PROTECTED] wrote: [...] This is all theory at this point, but it seems as though there is a problem with SSL_set_timeout(...) (or my use of it). What functions and macros do you use? Usually you should not need SSL_set_timeout; what you need is SSL_CTX_set_timeout on the SSL_CTX before any sessions are created. SSL_set_timeout on an SSL_SESSION does not affect the copy of that session that may be in an external cache. A bastardized mod_ssl 2.1.3. ssl = ap_ctx_get(c-client-ctx, "ssl"); if (ssl == NULL) return 0; session = SSL_get_session(ssl); if (session == NULL) return 0; /* * Set the timeout also for the internal SSLeay cache, because this way * our inter-process cache is consulted only when it's really necessary. */ sc = mySrvConfig(mc-rCtx.pConn-server); t = SSL_get_time(session) + sc-nSessionCacheTimeout; SSL_set_timeout(session, t); In my case, I'd like to be able to re-set the session timeout so I can extend the lifetime of a session. -Tom -- Tom Vaughan tvaughan at aventail dot com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[REPOST] internal SSL session cache question(s)
Am I correct about OpenSSL's internal session cache? Thanks, Tom [EMAIL PROTECTED] writes: As best as I can tell, in versions 0.9.2b and 0.9.4, OpenSSL's internal SSL session cache does not bother to pay attention to the SSL session timeout value as set by SSL_set_timeout(...). OpenSSL's internal SSL session will clear all SSL session cache entries after 255 SSL_accept's, in the server case. And that's it. Is this correct? Is this by design? Is the assumption that there will be 255 SSL_accept's in the server case long before the SSL session timeout value is ever reached? Just curious. The relevant code seems to be in ssl_get_prev_session(...). The call to lh_retrieve is made without any timeout checks. -Tom P.S. Many thanks to whomever is responsible for SSL_SESS_CACHE_NO_INTERNAL_LOOKUP. -- Tom Vaughan tvaughan at aventail dot com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
[EMAIL PROTECTED] [EMAIL PROTECTED]:
As best as I can tell, in versions 0.9.2b and 0.9.4, OpenSSL's internal SSL
session cache does not bother to pay attention to the SSL session timeout
value as set by SSL_set_timeout(...). [...]
The relevant code seems to be in ssl_get_prev_session(...). The call to
lh_retrieve is made without any timeout checks.
I have not looked too closesly at this issue, but shouldn't this part
of ssl_get_prev_session (which is exectuted right before the succesful
return) appropriately take care of it?
if ((long)(ret-time+ret-timeout) (long)time(NULL)) /* timeout */
{
s-ctx-stats.sess_timeout++;
/* remove it from the cache */
SSL_CTX_remove_session(s-ctx,ret);
goto err;
}
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
[EMAIL PROTECTED] (Bodo Moeller) writes: I have not looked too closesly at this issue, but shouldn't this part of ssl_get_prev_session (which is exectuted right before the succesful return) appropriately take care of it? Hmm... The behavior is a bit more like what I would expect if this is moved up so that it is invoked /before/ the get_session_cb? I'll have to look into this a bit more closely. Thank you. -Tom -- Tom Vaughan tvaughan at aventail dot com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
