[EMAIL PROTECTED] <[EMAIL PROTECTED]>:
>> As best as I can tell, in versions 0.9.2b and 0.9.4, OpenSSL's internal SSL
>> session cache does not bother to pay attention to the SSL session timeout
>> value as set by SSL_set_timeout(...). [...]
>> The relevant code seems to be in ssl_get_prev_session(...). The call to
>> lh_retrieve is made without any timeout checks.
I have not looked too closesly at this issue, but shouldn't this part
of ssl_get_prev_session (which is exectuted right before the succesful
return) appropriately take care of it?
if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
{
s->ctx->stats.sess_timeout++;
/* remove it from the cache */
SSL_CTX_remove_session(s->ctx,ret);
goto err;
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
