As best as I can tell, in versions 0.9.2b and 0.9.4, OpenSSL's internal SSL
session cache does not bother to pay attention to the SSL session timeout
value as set by SSL_set_timeout(...). OpenSSL's internal SSL session will
clear all SSL session cache entries after 255 SSL_accept's, in the server
case. And that's it. Is this correct? Is this by design? Is the assumption
that there will be 255 SSL_accept's in the server case long before the SSL
session timeout value is ever reached? Just curious.
The relevant code seems to be in ssl_get_prev_session(...). The call to
lh_retrieve is made without any timeout checks.
-Tom
P.S. Many thanks to whomever is responsible for
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP.
--
Tom Vaughan <tvaughan at aventail dot com>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
