Hi, I am looking into how to best add client session reuse to Squid when acting as a SSL client. (yes, Squid does SSL these days)
The playfield: * A single process * Having a large amount of SSL connections to a large amount of different places (servers), and some prefedined places (peers) * Each peer may consist of multiple servers (each has a unique IP:port), optionally with session sharing. * Using non-blocking I/O. The primary goal is to get session reuse for SSL connections to peers, which should not be too hard it seems. General session reuse on any initiated SSL connection is also interesting, but mostly as an exercise for the brain however as there is not and should not be many users who need a http->https gateway these days. This should be somewhat like what a browser needs to support in session reuse for a user browsing several https sites at the same time with the same browser instance. I think I have got the SSL_get1_sess and SSL_set_session picture, and have some kind of idea of how to use this using your own cache structure. Still needs to look into how to correctly manage time-to-live etc. But what confuses me is the fact that there is a SSL_SESS_CACHE_CLIENT session cache mode (SSL_set_session_cache_mode). Can this cache mode be used to make life easier somehow? I understand it will cache client sessions, but how to access the cached sessions? And how to find the correct set of cached sessions among all different sessions used in this SSL_CTX if the same SSL_CTX is used for connecting to different SSL servers? I was thinking that maybe I can use SSL_SESS_CACHE_CLIENT in a manner like this: * Set up application data fields to identify which server connection the session belongs to (the keys needed to later look up the session etc, i.e. ip:port). * Register a SSL_CTX_sess_set_new_cb to index the cached sessions using the data set in 1. * Use this custom index to find a correct session to reuse. * And the proper application data free calbacks to automatically deregister the sessions from the index when deleted. Some other questions regarding SSL sessions: * Should the SSL session be reused for multiple concurrent connections to the same server where possible, or only one connection at a time? Regards Henrik -- Henrik Nordstrom <[EMAIL PROTECTED]> MARA Systems AB ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
