Am I correct about OpenSSL's internal session cache?
Thanks,
Tom
[EMAIL PROTECTED] writes:
> As best as I can tell, in versions 0.9.2b and 0.9.4, OpenSSL's internal SSL
> session cache does not bother to pay attention to the SSL session timeout
> value as set by SSL_set_timeout(...). OpenSSL's internal SSL session will
> clear all SSL session cache entries after 255 SSL_accept's, in the server
> case. And that's it. Is this correct? Is this by design? Is the assumption
> that there will be 255 SSL_accept's in the server case long before the SSL
> session timeout value is ever reached? Just curious.
>
> The relevant code seems to be in ssl_get_prev_session(...). The call to
> lh_retrieve is made without any timeout checks.
>
> -Tom
>
> P.S. Many thanks to whomever is responsible for
> SSL_SESS_CACHE_NO_INTERNAL_LOOKUP.
--
Tom Vaughan <tvaughan at aventail dot com>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
