Re: SSL session ID reuse - clarification needed

Fri, 03 Jan 2020 14:34:56 -0800 

Hi Daniel,

On Fri, Jan 03, 2020 at 09:21:04PM +0100, Daniel Jeliński via curl-library 
wrote:
> Hi all,
> I see that libcurl supports SSL session ID cache already, unless
> CURLOPT_SSL_SESSIONID_CACHE is cleared. However, I'm having a hard
> time finding information about the scope of session ID reuse:
> - Are session IDs reused only within an easy handle or globally for
> all handles within the application?

It looks like it is reused within an easy handle only. The attached
program was based on the output of:

    curl --http1.1 -vIH connection:close https://example.com/ 
https://example.com/ --libcurl some.c

With `cc some.c -lcurl`, I see "SSL re-using session ID" in stderr.
With `cc some.c -lcurl -DRESET`, I do not see that line.

> - Does libcurl keep a mapping between host names and session IDs? As
> far as I can tell, openSSL does not.

It appears so. Aside from hostname, the port number, and TLS config
(client cert, certificate validation, etc.) are also checked:
https://github.com/curl/curl/blob/curl-7_67_0/lib/vtls/vtls.c#L344-L353

For OpenSSL, the relevant glue code is here:
https://github.com/curl/curl/blob/curl-7_67_0/lib/vtls/openssl.c#L2864-L2875
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl

#include <curl/curl.h>

int main(int argc, char *argv[])
{
  CURLcode ret;
  CURL *hnd;
  struct curl_slist *slist1;
  struct curl_slist *slist2;

  slist1 = NULL;
  slist1 = curl_slist_append(slist1, "connection:close");
  slist2 = NULL;
  slist2 = curl_slist_append(slist2, "connection:close");

  hnd = curl_easy_init();
  curl_easy_setopt(hnd, CURLOPT_URL, "https://example.com/";);
  curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L);
  curl_easy_setopt(hnd, CURLOPT_NOBODY, 1L);
  curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, slist1);
  curl_easy_setopt(hnd, CURLOPT_HTTP_VERSION, (long)CURL_HTTP_VERSION_1_1);
  curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);

  ret = curl_easy_perform(hnd);
#ifdef RESET
  curl_easy_cleanup(hnd);
  hnd = curl_easy_init();
#endif

  curl_easy_setopt(hnd, CURLOPT_URL, "https://www.example.com/";);
  curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L);
  curl_easy_setopt(hnd, CURLOPT_NOBODY, 1L);
  curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, slist2);
  curl_easy_setopt(hnd, CURLOPT_HTTP_VERSION, (long)CURL_HTTP_VERSION_1_1);
  curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);

  ret = curl_easy_perform(hnd);
  curl_easy_cleanup(hnd);

  hnd = NULL;
  curl_slist_free_all(slist1);
  slist1 = NULL;
  curl_slist_free_all(slist2);
  slist2 = NULL;

  return (int)ret;
}

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to