Re: Maintaining an SSL server cache
At 09:56 PM 12/18/99 +0100, you wrote: James Darwin [EMAIL PROTECTED]: I'm having trouble makeing the server side cache hang on to SSL sessions when all connections from the client are lost. If the client maintains one open connection, and re-uses its ssl session, the cache on the server knows to use the same session - i.e. the SSL_get_session() gives me the same number. But if the client drops its last connection, and creates a new connection to the server, still using the same ssl session as before, the server sees this as a new ssl session. BTW, SSL_free() is called when a connection is dropped in order to clean up memory. Do you create all server SSLs from the same SSL_CTX? If so, sessions should survive automatically; but you should set a session ID context for the SSL_CTX (it is used only if you do client verification, i.e. when SSL_VERIFY_PEER is set). If this does not work, then use a debugger to see what is happening (ssl/ssl_sess.c is the most important OpenSSL source code file for this): Is ssl_clear_bad_session ever called when your program is run? What happens inside ssl_get_prev_session (i.e. what "if" conditions there are true)? Hi. Thanks for your help! I used the debugger and found that sessions were not being shutdown properly so that SSL_free was removing the sessions from the cache. C ya, Jimmy -- James Darwin http://www.dascom.com Senior Software EngineerDASCOM Australia Pty Ltd. [EMAIL PROTECTED] Bond University Australia. -- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Maintaining an SSL server cache
James Darwin [EMAIL PROTECTED]: I'm having trouble makeing the server side cache hang on to SSL sessions when all connections from the client are lost. If the client maintains one open connection, and re-uses its ssl session, the cache on the server knows to use the same session - i.e. the SSL_get_session() gives me the same number. But if the client drops its last connection, and creates a new connection to the server, still using the same ssl session as before, the server sees this as a new ssl session. BTW, SSL_free() is called when a connection is dropped in order to clean up memory. Do you create all server SSLs from the same SSL_CTX? If so, sessions should survive automatically; but you should set a session ID context for the SSL_CTX (it is used only if you do client verification, i.e. when SSL_VERIFY_PEER is set). If this does not work, then use a debugger to see what is happening (ssl/ssl_sess.c is the most important OpenSSL source code file for this): Is ssl_clear_bad_session ever called when your program is run? What happens inside ssl_get_prev_session (i.e. what "if" conditions there are true)? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Maintaining an SSL server cache
Hi, I'm having trouble makeing the server side cache hang on to SSL sessions when all connections from the client are lost. If the client maintains one open connection, and re-uses its ssl session, the cache on the server knows to use the same session - i.e. the SSL_get_session() gives me the same number. But if the client drops its last connection, and creates a new connection to the server, still using the same ssl session as before, the server sees this as a new ssl session. BTW, SSL_free() is called when a connection is dropped in order to clean up memory. I have tryed a number of things to try and keep the ssl session in the server cache, but nothing seems to work (more below). How have other people implemented this functionality? I have tryed creating a extra connection with SSL_new() etc, and setting the ssl session to be the same as the real connection - therefore stopping the SSL_free from removeing the cached entry(?). I have tryed SSL_dup() on the connection - this one stopped data flow. I have alsy tryed upping the ssl session reference count manually on the connection. None of these have worked. Help Best Regards, Jimmy -- James Darwin http://www.dascom.com Senior Software EngineerDASCOM Australia Pty Ltd. [EMAIL PROTECTED] Bond University Australia. -- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]