On Wed, Mar 25, 2015 at 03:32:08PM +, Dr. Stephen Henson wrote:
I am trying to implement server side caching support for sessions by
using callback functions. However, the callback functions are never
being called, even though connection happens successfully without
session resumption. For your reference some of the sample code I am
pasting below:
ssl_session_ctx_id = 1;
SSL_CTX_set_session_id_context (c, (void *)ssl_session_ctx_id, sizeof
(ssl_session_ctx_id));
SSL_CTX_set_session_cache_mode(c, SSL_SESS_CACHE_SERVER |
SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_sess_set_new_cb (c, custom_new_session_cb );
SSL_CTX_sess_set_remove_cb (c, custom_remove_session_cb );
SSL_CTX_sess_set_get_cb (c, custom_get_session_cb);
Can somebody kindly help me as to what I am missing out here? What
could be the reason behind the callback functions not being called?
The client could be using session tickets which don't use a session cache. You
can try disabling them by setting SSL_OP_NO_TICKET.
I would NOT recommend disabling session tickets, they are better
than server-side caches.
That said, Postfix supports both, ahd the callbacks are called. See lines
624-669 of:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c
--
Viktor.
line 165:
static const char server_session_id_context[] = Postfix/TLS;
lines 624-669:
if (cachable || ticketable || props-set_sessid) {
/*
* Initialize the session cache.
*
* With a large number of concurrent smtpd(8) processes, it is not a
* good idea to cache multiple large session objects in each process.
* We set the internal cache size to 1, and don't register a
* remove_cb so as to avoid deleting good sessions from the
* external cache prematurely (when the internal cache is full,
* OpenSSL removes sessions from the external cache also)!
*
* This makes SSL_CTX_remove_session() not useful for flushing broken
* sessions from the external cache, so we must delete them directly
* (not via a callback).
*
* Set a session id context to identify to what type of server process
* created a session. In our case, the context is simply the name of
* the mail system: Postfix/TLS.
*/
SSL_CTX_sess_set_cache_size(server_ctx, 1);
SSL_CTX_set_session_id_context(server_ctx,
(void *) server_session_id_context,
sizeof(server_session_id_context));
SSL_CTX_set_session_cache_mode(server_ctx,
SSL_SESS_CACHE_SERVER |
SSL_SESS_CACHE_NO_AUTO_CLEAR);
if (cachable) {
app_ctx-cache_type = mystrdup(props-cache_type);
SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb);
SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
}
/*
* OpenSSL ignores timed-out sessions. We need to set the internal
* cache timeout at least as high as the external cache timeout. This
* applies even if no internal cache is used. We set the session
* lifetime to twice the cache lifetime, which is also the issuing
* and retired key validation lifetime of session tickets keys. This
* way a session always lasts longer than the server's ability to
* decrypt its session ticket. Otherwise, a bug in OpenSSL may fail
* to re-issue tickets when sessions decrypt, but are expired.
*/
SSL_CTX_set_timeout(server_ctx, 2 * scache_timeout);
}
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users