On Tue, Nov 20, 2001 at 06:09:04PM +0200, Arne Ansper wrote: > we have a client program that uses external session database for session > caching. we have found a bug in client side session caching. or actually a > missing functionality. > > after decoding stored session using d2i function the cipher parameter of > SSL_SESSION structure is zero. on server side the cipher field is filled > from cipher_id in ssl_sess.c function ssl_get_prev_session (this function > is used only in server side). in openssl 0.9.6b the relevant code looks > like this: > > if (ret->cipher == NULL) > { > unsigned char buf[5],*p; > unsigned long l; > > p=buf; > l=ret->cipher_id; > l2n(l,p); > if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR) > ret->cipher=ssl_get_cipher_by_char(s,&(buf[2])); > else > ret->cipher=ssl_get_cipher_by_char(s,&(buf[1])); > if (ret->cipher == NULL) > goto err; > } > > but there is no function to do it on the client side.
The SSL client will receive the selected cipher from the server in the server hello message (RFC2246, Section 7.4.1): cipher_suite The single cipher suite selected by the server from the list in ClientHello.cipher_suites. For resumed sessions this field is the value from the state of the session being resumed. The OpenSSL client does set the cipher based on this returned value. It is therefore not necessary to set the cipher in advance. Do you have any problems due to this behaviour? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]