On Thu, 4 Mar 2004, David Hajek wrote: > Well, it seems that correct session handling in SSL is not easy. It > seems that 255 sessions are cached for each SSL_CTX by default, even if > the session_id_context is not set. Thats probably why mozilla > complaints. So I think we have two options here:
All the version used in development allow caching for far more than 255 sessions, and the documentation says that the session id context is only required for using offline caching. There is automatic session maintenance every 255 connections, but as removal is based on expiry not number. My guess what happens is that the version of Mozilla used blindly assumes there is a session id context, and as result its session resumption messages is "odd". To get a better understanding of what Mozilla does causing it to fail please use ssldump. > 1/ Disable SSL session caching by calling SSL_CTX_set_session_cache_mode ( > SSL_SESS_CACHE_OFF ) You certainly do not want to focibly disable the session cache as this cache is required for session resumption. If you disable this there will be a RSA handshake on each new connection. Having an option to disable session resumption is good however in situations where you are short on memory. > 2/ Enable internal OpenSSL session caching by calling > SSL_CTX_set_session_id_context(). My understanding is that this is only required when using an external session cache, which Squid is not. > But then it seems we have to (manually) add each session to the internal > OpenSSL cache by calling SSL_CTX_add_session( ). My understanding is that this should only be required if you also disable the automatic caching by calling SSL_CTX_set_session_cache_mode. Which versions of Mozilla and OpenSSL are you using? Regards Henrik
