>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople >Sent: Friday, 29 June, 2012 19:37
>Following is the code I used at server side program. >while (1) { > SSL *ssl = SSL_new(ctx); > SSL_set_fd(ssl, clientserver[1]); > if (SSL_accept(ssl) != 1) > break; > result.handshakes++; > SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN); > SSL_free(ssl); > } I presume there's some synchronization, not shown, so the SSL_accept (and remainder) only executes once a socket connection from the/a client exists. If this is a single loop as shown and not threaded, you are including network transmission/latency in your measurement. Unless you care about performance wrt a single client that does one connection at a time, this gives inaccurate results; most servers accept multiple connections usually from multiple clients concurrently and can overlap computation with I/O. >This is the server loop I used to handle the requests from the client. >Where ctx is configures ad follows: >SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_client_certificate); >/* Set the verification depth */ >SSL_CTX_set_verify_depth(ctx, VERIFICATION_DEPTH); >I had to also include following code: >int verify_client_certificate(int ok, X509_STORE_CTX* store) { <snip> To be exact, you must have a function with that parameter types and return type. Its *content* can vary if appropriate. I presume you are also setting the cert/privatekey and truststore (usually CAfile and/or CApath); without the former in the server no authenticated suite can proceed, and without the latter in the server if the client does auth (i.e. supplies a cert) OpenSSL can't verify and every SSL_accept (with the verify callback shown) should fail. >To clarify, >1. server does uses Openssl. >2. Full handshakes are done. We don't know that from the code shown. SSL_accept can do either a full or abbreviated handshake; so can SSL_connect. >3. SSL object is created and [freed] for each handshake. >Therefore, ideally, session should not be cached. Since I >am trying to create a new ssl object. There is similar counter >code at client side. Do you see my conclusions right? Session caching is done at the SSL_CTX level, not the SSL level, so using new SSL objects doesn't prevent caching. And OpenSSL's default for server caching is on. However, if your client also uses OpenSSL in a similar way, that defaults to off, and if so full handshakes are indeed occurring. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org