I'm building a custom SSL app and want to use session reuse for the
obvious reasons. I've hacked up cli.c (attached below) to more easily
learn openssl etc. The program connects to a server running apache and
the most recent mod_ssl. The interesting thing is that the session isn't
always reused. When the expiry log entry is made, the server gets a cache
miss even though the session id is correct. My sample size is obviously
small, but the behavior is concerning. When I run s_time, the sessions
are mostly reused (240/255) with only a few misses.
I've attached the session cache entries from using cli.c. The entries I
deleted were all normal, i.e. the SSL protocol looked fine.
Any ideas on this odd behavior? Am I missing something in cli.c?
Thanks, Bill
[16/Aug/1999 15:49:10] [info] Init: Created hash-table (250 buckets) in shared memory
(512000 bytes) for SSL session cache
[16/Aug/1999 15:49:10] [trace] Inter-Process Session Cache (SHM) Expiry: old: 0, new:
0, removed: 0
[16/Aug/1999 15:49:31] [trace] Inter-Process Session Cache: request=SET status=OK
id=8214945D194564BC5101B8B012BDC0751FC639C27FE686C2518AF12E15002848 timeout=300s
(session caching)
[16/Aug/1999 15:49:31] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=8214945D194564BC5101B8B012BDC0751FC639C27FE686C2518AF12E15002848 (session reuse)
[16/Aug/1999 15:49:35] [trace] Inter-Process Session Cache: request=SET status=OK
id=4032AC17060B837D42FC3ED537EBC5498096CA45BE6F3615E9AC4132AF071FD2 timeout=299s
(session caching)
[16/Aug/1999 15:49:35] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=4032AC17060B837D42FC3ED537EBC5498096CA45BE6F3615E9AC4132AF071FD2 (session reuse)
[16/Aug/1999 15:50:20] [trace] Inter-Process Session Cache: request=SET status=OK
id=5FA040F98CE97E5E88B524CD7F91CCBD610E1D21720EDB0F0EB905F26621ADB5 timeout=300s
(session caching)
[16/Aug/1999 15:50:20] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=5FA040F98CE97E5E88B524CD7F91CCBD610E1D21720EDB0F0EB905F26621ADB5 (session reuse)
[16/Aug/1999 15:52:06] [trace] Inter-Process Session Cache: request=SET status=OK
id=357587AD769B6E0A5D0FE5BAD590F2E36E80ECB3A5A67C985B3AA2C77BF5B1D3 timeout=300s
(session caching)
[16/Aug/1999 15:52:06] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=357587AD769B6E0A5D0FE5BAD590F2E36E80ECB3A5A67C985B3AA2C77BF5B1D3 (session reuse)
[16/Aug/1999 15:52:09] [trace] Inter-Process Session Cache: request=SET status=OK
id=2C7D6FFA46CC9F57F5E93C59AF2004308C31587F9D0582181957113018D6EF14 timeout=300s
(session caching)
[16/Aug/1999 15:52:09] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=2C7D6FFA46CC9F57F5E93C59AF2004308C31587F9D0582181957113018D6EF14 (session reuse)
[16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new:
4, removed: 1
[16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=SET status=OK
id=BFA93C41699520A907B4C604A1A2AABE93220FE28D2ED1B6FB75428877645C8C timeout=299s
(session caching)
[16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new:
5, removed: 0
[16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=GET status=MISSED
id=BFA93C41699520A907B4C604A1A2AABE93220FE28D2ED1B6FB75428877645C8C (session renewal)
[16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=SET status=OK
id=3DFEB1F293010D97D93A02E39433133CAE4872510C5DDC361408C756C00095DD timeout=300s
(session caching)
[16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new:
5, removed: 2
[16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=SET status=OK
id=CFB37682C2CCA86551360F0E01CA83ABC4655A09690026281CB0E24A5C99946A timeout=300s
(session caching)
[16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new:
5, removed: 0
[16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=GET status=MISSED
id=CFB37682C2CCA86551360F0E01CA83ABC4655A09690026281CB0E24A5C99946A (session renewal)
[16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=SET status=OK
id=CF9AD819FA474ECEF09FA1CE74F0112781188BB042AFB2DF626EC5953F0CE30C timeout=300s
(session caching)
[16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new:
5, removed: 2
[16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache: request=SET status=OK
id=B4C9319C1F50A00A2E92F296AF75393C247F3A037A47CC1E6BC6A42434B3C790 timeout=300s
(session caching)
[16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache: request=GET status=MISSED
id=B4C9319C1F50A00A2E92F296AF75393C247F3A037A47CC1E6BC6A42434B3C790 (session renewal)
[16/Aug/1999 16:03:21] [trace] Inter-Process Session Cache: request=SET status=OK
id=D5190B883D65214EE31777E78DD0A7DC9850543EF183D5A9EC97956112155095 timeout=299s
(session caching)
[16/Aug/1999 16:03:21] [trace] Inter-Process Session Cache: request=SET status=OK
id=9E2563D5F89B073CA9C5E266975451DF131BE3AAB6CBED908A55B23D5A110389 timeout=300s
(session caching)
[16/Aug/1999 16:03:22] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=9E2563D5F89B073CA9C5E266975451DF131BE3AAB6CBED908A55B23D5A110389 (session reuse)
[16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new:
4, removed: 3
[16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache: request=SET status=OK
id=7806EE0F98F6F50561069D068277BB3B656A310C85460304D4FB70E0ACC95F74 timeout=300s
(session caching)
[16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache: request=GET status=MISSED
id=7806EE0F98F6F50561069D068277BB3B656A310C85460304D4FB70E0ACC95F74 (session renewal)
[16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache: request=SET status=OK
id=005FB8CD40F44620CC63E9E2827E47F4266698A1B02B18057E58D9343ABE5674 timeout=300s
(session caching)
[16/Aug/1999 16:03:29] [trace] Inter-Process Session Cache: request=SET status=OK
id=6E2F3EE646D9E1AFACF969E7578776347FD315F5C51B6A5BAB8981BAC9A6AD9E timeout=300s
(session caching)
[16/Aug/1999 16:03:29] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=6E2F3EE646D9E1AFACF969E7578776347FD315F5C51B6A5BAB8981BAC9A6AD9E (session reuse)
[16/Aug/1999 16:03:31] [trace] Inter-Process Session Cache: request=SET status=OK
id=5CA4745F69C826850B07AD0FE8BCF42085728F56E0A38910A71ADB497B64D6B0 timeout=299s
(session caching)
[16/Aug/1999 16:03:31] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=5CA4745F69C826850B07AD0FE8BCF42085728F56E0A38910A71ADB497B64D6B0 (session reuse)
[16/Aug/1999 16:03:32] [trace] Inter-Process Session Cache: request=SET status=OK
id=04B8F752BBF88F682B56854A9EF02621E878CB0A4C23216741376A16D3114308 timeout=300s
(session caching)
[16/Aug/1999 16:03:32] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=04B8F752BBF88F682B56854A9EF02621E878CB0A4C23216741376A16D3114308 (session reuse)
[16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache (SHM) Expiry: old: 9, new:
8, removed: 1
[16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache: request=SET status=OK
id=81E2780BFB1207ECA4BC4DEFB66751FF8112B15FEB19AE12C50984D88C7FA615 timeout=300s
(session caching)
[16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache (SHM) Expiry: old: 9, new:
9, removed: 0
[16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache: request=GET status=MISSED
id=81E2780BFB1207ECA4BC4DEFB66751FF8112B15FEB19AE12C50984D88C7FA615 (session renewal)
[16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache: request=SET status=OK
id=9E2F338B4390EFF01CAD7AEEDF4034C258C27FBF7E856D1C561954F21BDB7387 timeout=300s
(session caching)
//cli.c
/* cli.cpp - Minimal ssleay client for Unix
30.9.1996, Sampo Kellomaki <[EMAIL PROTECTED]> */
/* mangled to work with SSLeay-0.9.0b and OpenSSL 0.9.2b
Simplified to be even more minimal
12/98 - 4/99 Wade Scholine <[EMAIL PROTECTED]> */
#include <stdio.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/rsa.h> /* SSLeay stuff */
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/e_os.h>
#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); \
printf("CHK_SSL... exiting...\n"); exit(2); }
static int session_id_context = 1; /* anything will do */
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
{
char buf[256];
X509 *err_cert;
int err,depth;
int verify_depth = 1;
int verify_error;
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
printf("depth=%d %s\n",depth,buf);
if (!ok) {
printf("ERROR:num=%d:%s\n",err,X509_verify_cert_error_string(err));
}
switch (ctx->error) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
printf("issuer= %s\n",buf);
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
printf("notBefore=");
/* ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));*/
printf("\n");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
printf("notAfter=");
/* ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); */
printf("\n");
break;
}
if (ok==1)
printf("Certificate is OK\n");
else
printf("Certificate DOES NOT VERIFY\n");
return(ok);
}
int main ()
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
//SSL* ssl2;
X509* server_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
BIO *conn;
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth); CHK_NULL(ctx);
SSL_CTX_load_verify_locations(ctx,"snakeoil-ca-rsa.crt",(char *)NULL);
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,verify_callback);
SSL_CTX_set_quiet_shutdown(ctx,1);
// Do it with a BIO
conn = BIO_new(BIO_s_connect());
if (conn == NULL)
return -1;
BIO_set_conn_port(conn, "443");
BIO_set_conn_hostname(conn, "www");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_bio(ssl, conn, conn); // BIO way
err = SSL_connect (ssl); CHK_SSL(err);
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
Free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
Free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
sprintf(buf, "GET / HTTP/1.0\r\n\r\n");
err = SSL_write (ssl, buf, strlen(buf)); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
// Shutdown
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
shutdown(SSL_get_fd(ssl), 2); close(SSL_get_fd(ssl));
// SECOND CONNECTION //////////////////////////////////////////////
// Do it with a BIO
conn = BIO_new(BIO_s_connect());
if (conn == NULL)
return -1;
BIO_set_conn_port(conn, "443");
BIO_set_conn_hostname(conn, "www");
SSL_set_connect_state(ssl);
SSL_set_bio(ssl, conn, conn);
SSL_connect(ssl);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
printf("***Session reused: %d\n", SSL_session_reused(ssl));
memset(buf, 0, sizeof(buf));
sprintf(buf, "GET /manual/LICENSE HTTP/1.0\r\n\r\n");
err = SSL_write (ssl, buf, strlen(buf));
CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
// Shutdown
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
shutdown (SSL_get_fd(ssl), 2); close(SSL_get_fd(ssl));
printf("***Session reused: %d\n", SSL_session_reused(ssl));
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/* EOF - cli.c */
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
