On Wed, Feb 20, 2002 at 02:17:15PM +0200, Yoram Zahavi wrote:
> I'm using SSL_clear (0.9.6c) in order to reuse the SSL object. SSL_clear()
> should make sure that the SSL Session will *not* be reused if
> SSL_SENT_SHUTDOWN is *not* set.
>
> Well, I faced some problems and I looked into the code:
> * SSL_clear sets SSL structure state with SSL_ST_BEFORE. (The previous state
> is saved in tmp variable, but is never in use).
> * Later on it calls ssl_clear_bad_session, which suppose to check if session
> can be reused.
> * According to ssl_clear_bad_session, session is considered "bad" if
> - Function did not receive a NULL structure, and
> - Structure was not assigned with SSL_SENT_SHUTDOWN, and
> - Structure was *not* set with SSL_ST_BEFORE (but flag is set
> whenever SSL_clear is called ??)
>
> Taken from ssl_lib.c, SSL_clear() is doing:
> s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
> ......
> if (ssl_clear_bad_session(s))
> {
> SSL_SESSION_free(s->session);
> s->session=NULL;
> }
>
> Taken from ssl_sess.c, ssl_clear_bad_session(s) is doing:
> if ((s->session != NULL) &&
> !(s->shutdown & SSL_SENT_SHUTDOWN) &&
> !(SSL_in_init(s) || SSL_in_before(s)))
> {
> SSL_CTX_remove_session(s->ctx,s->session);
> return(1);
> }
> else
> return(0);
> }
>
> Does it mean that the SSL session is never removed through SSL_clear, or am
> I totally wrong ?
It seems to me, that your analysis is correct. I have checked in an appropriate
patch.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
