I'm building a custom SSL app and want to use session reuse for the obvious reasons. I've hacked up cli.c (attached below) to more easily learn openssl etc. The program connects to a server running apache and the most recent mod_ssl. The interesting thing is that the session isn't always reused. When the expiry log entry is made, the server gets a cache miss even though the session id is correct. My sample size is obviously small, but the behavior is concerning. When I run s_time, the sessions are mostly reused (240/255) with only a few misses. I've attached the session cache entries from using cli.c. The entries I deleted were all normal, i.e. the SSL protocol looked fine. Any ideas on this odd behavior? Am I missing something in cli.c? Thanks, Bill [16/Aug/1999 15:49:10] [info] Init: Created hash-table (250 buckets) in shared memory (512000 bytes) for SSL session cache [16/Aug/1999 15:49:10] [trace] Inter-Process Session Cache (SHM) Expiry: old: 0, new: 0, removed: 0 [16/Aug/1999 15:49:31] [trace] Inter-Process Session Cache: request=SET status=OK id=8214945D194564BC5101B8B012BDC0751FC639C27FE686C2518AF12E15002848 timeout=300s (session caching) [16/Aug/1999 15:49:31] [trace] Inter-Process Session Cache: request=GET status=FOUND id=8214945D194564BC5101B8B012BDC0751FC639C27FE686C2518AF12E15002848 (session reuse) [16/Aug/1999 15:49:35] [trace] Inter-Process Session Cache: request=SET status=OK id=4032AC17060B837D42FC3ED537EBC5498096CA45BE6F3615E9AC4132AF071FD2 timeout=299s (session caching) [16/Aug/1999 15:49:35] [trace] Inter-Process Session Cache: request=GET status=FOUND id=4032AC17060B837D42FC3ED537EBC5498096CA45BE6F3615E9AC4132AF071FD2 (session reuse) [16/Aug/1999 15:50:20] [trace] Inter-Process Session Cache: request=SET status=OK id=5FA040F98CE97E5E88B524CD7F91CCBD610E1D21720EDB0F0EB905F26621ADB5 timeout=300s (session caching) [16/Aug/1999 15:50:20] [trace] Inter-Process Session Cache: request=GET status=FOUND id=5FA040F98CE97E5E88B524CD7F91CCBD610E1D21720EDB0F0EB905F26621ADB5 (session reuse) [16/Aug/1999 15:52:06] [trace] Inter-Process Session Cache: request=SET status=OK id=357587AD769B6E0A5D0FE5BAD590F2E36E80ECB3A5A67C985B3AA2C77BF5B1D3 timeout=300s (session caching) [16/Aug/1999 15:52:06] [trace] Inter-Process Session Cache: request=GET status=FOUND id=357587AD769B6E0A5D0FE5BAD590F2E36E80ECB3A5A67C985B3AA2C77BF5B1D3 (session reuse) [16/Aug/1999 15:52:09] [trace] Inter-Process Session Cache: request=SET status=OK id=2C7D6FFA46CC9F57F5E93C59AF2004308C31587F9D0582181957113018D6EF14 timeout=300s (session caching) [16/Aug/1999 15:52:09] [trace] Inter-Process Session Cache: request=GET status=FOUND id=2C7D6FFA46CC9F57F5E93C59AF2004308C31587F9D0582181957113018D6EF14 (session reuse) [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new: 4, removed: 1 [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=SET status=OK id=BFA93C41699520A907B4C604A1A2AABE93220FE28D2ED1B6FB75428877645C8C timeout=299s (session caching) [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new: 5, removed: 0 [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=GET status=MISSED id=BFA93C41699520A907B4C604A1A2AABE93220FE28D2ED1B6FB75428877645C8C (session renewal) [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=SET status=OK id=3DFEB1F293010D97D93A02E39433133CAE4872510C5DDC361408C756C00095DD timeout=300s (session caching) [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new: 5, removed: 2 [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=SET status=OK id=CFB37682C2CCA86551360F0E01CA83ABC4655A09690026281CB0E24A5C99946A timeout=300s (session caching) [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new: 5, removed: 0 [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=GET status=MISSED id=CFB37682C2CCA86551360F0E01CA83ABC4655A09690026281CB0E24A5C99946A (session renewal) [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=SET status=OK id=CF9AD819FA474ECEF09FA1CE74F0112781188BB042AFB2DF626EC5953F0CE30C timeout=300s (session caching) [16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new: 5, removed: 2 [16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache: request=SET status=OK id=B4C9319C1F50A00A2E92F296AF75393C247F3A037A47CC1E6BC6A42434B3C790 timeout=300s (session caching) [16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache: request=GET status=MISSED id=B4C9319C1F50A00A2E92F296AF75393C247F3A037A47CC1E6BC6A42434B3C790 (session renewal) [16/Aug/1999 16:03:21] [trace] Inter-Process Session Cache: request=SET status=OK id=D5190B883D65214EE31777E78DD0A7DC9850543EF183D5A9EC97956112155095 timeout=299s (session caching) [16/Aug/1999 16:03:21] [trace] Inter-Process Session Cache: request=SET status=OK id=9E2563D5F89B073CA9C5E266975451DF131BE3AAB6CBED908A55B23D5A110389 timeout=300s (session caching) [16/Aug/1999 16:03:22] [trace] Inter-Process Session Cache: request=GET status=FOUND id=9E2563D5F89B073CA9C5E266975451DF131BE3AAB6CBED908A55B23D5A110389 (session reuse) [16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new: 4, removed: 3 [16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache: request=SET status=OK id=7806EE0F98F6F50561069D068277BB3B656A310C85460304D4FB70E0ACC95F74 timeout=300s (session caching) [16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache: request=GET status=MISSED id=7806EE0F98F6F50561069D068277BB3B656A310C85460304D4FB70E0ACC95F74 (session renewal) [16/Aug/1999 16:03:28] [trace] Inter-Process Session Cache: request=SET status=OK id=005FB8CD40F44620CC63E9E2827E47F4266698A1B02B18057E58D9343ABE5674 timeout=300s (session caching) [16/Aug/1999 16:03:29] [trace] Inter-Process Session Cache: request=SET status=OK id=6E2F3EE646D9E1AFACF969E7578776347FD315F5C51B6A5BAB8981BAC9A6AD9E timeout=300s (session caching) [16/Aug/1999 16:03:29] [trace] Inter-Process Session Cache: request=GET status=FOUND id=6E2F3EE646D9E1AFACF969E7578776347FD315F5C51B6A5BAB8981BAC9A6AD9E (session reuse) [16/Aug/1999 16:03:31] [trace] Inter-Process Session Cache: request=SET status=OK id=5CA4745F69C826850B07AD0FE8BCF42085728F56E0A38910A71ADB497B64D6B0 timeout=299s (session caching) [16/Aug/1999 16:03:31] [trace] Inter-Process Session Cache: request=GET status=FOUND id=5CA4745F69C826850B07AD0FE8BCF42085728F56E0A38910A71ADB497B64D6B0 (session reuse) [16/Aug/1999 16:03:32] [trace] Inter-Process Session Cache: request=SET status=OK id=04B8F752BBF88F682B56854A9EF02621E878CB0A4C23216741376A16D3114308 timeout=300s (session caching) [16/Aug/1999 16:03:32] [trace] Inter-Process Session Cache: request=GET status=FOUND id=04B8F752BBF88F682B56854A9EF02621E878CB0A4C23216741376A16D3114308 (session reuse) [16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache (SHM) Expiry: old: 9, new: 8, removed: 1 [16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache: request=SET status=OK id=81E2780BFB1207ECA4BC4DEFB66751FF8112B15FEB19AE12C50984D88C7FA615 timeout=300s (session caching) [16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache (SHM) Expiry: old: 9, new: 9, removed: 0 [16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache: request=GET status=MISSED id=81E2780BFB1207ECA4BC4DEFB66751FF8112B15FEB19AE12C50984D88C7FA615 (session renewal) [16/Aug/1999 16:32:12] [trace] Inter-Process Session Cache: request=SET status=OK id=9E2F338B4390EFF01CAD7AEEDF4034C258C27FBF7E856D1C561954F21BDB7387 timeout=300s (session caching) //cli.c /* cli.cpp - Minimal ssleay client for Unix 30.9.1996, Sampo Kellomaki <[EMAIL PROTECTED]> */ /* mangled to work with SSLeay-0.9.0b and OpenSSL 0.9.2b Simplified to be even more minimal 12/98 - 4/99 Wade Scholine <[EMAIL PROTECTED]> */ #include <stdio.h> #include <memory.h> #include <errno.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <openssl/rsa.h> /* SSLeay stuff */ #include <openssl/crypto.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/e_os.h> #define CHK_NULL(x) if ((x)==NULL) exit (1) #define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); } #define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); \ printf("CHK_SSL... exiting...\n"); exit(2); } static int session_id_context = 1; /* anything will do */ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char buf[256]; X509 *err_cert; int err,depth; int verify_depth = 1; int verify_error; err_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256); printf("depth=%d %s\n",depth,buf); if (!ok) { printf("ERROR:num=%d:%s\n",err,X509_verify_cert_error_string(err)); } switch (ctx->error) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); printf("issuer= %s\n",buf); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: printf("notBefore="); /* ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));*/ printf("\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: printf("notAfter="); /* ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); */ printf("\n"); break; } if (ok==1) printf("Certificate is OK\n"); else printf("Certificate DOES NOT VERIFY\n"); return(ok); } int main () { int err; int sd; struct sockaddr_in sa; SSL_CTX* ctx; SSL* ssl; //SSL* ssl2; X509* server_cert; char* str; char buf [4096]; SSL_METHOD *meth; BIO *conn; SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); CHK_NULL(ctx); SSL_CTX_load_verify_locations(ctx,"snakeoil-ca-rsa.crt",(char *)NULL); SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,verify_callback); SSL_CTX_set_quiet_shutdown(ctx,1); // Do it with a BIO conn = BIO_new(BIO_s_connect()); if (conn == NULL) return -1; BIO_set_conn_port(conn, "443"); BIO_set_conn_hostname(conn, "www"); /* ----------------------------------------------- */ /* Now we have TCP conncetion. Start SSL negotiation. */ ssl = SSL_new (ctx); CHK_NULL(ssl); SSL_set_bio(ssl, conn, conn); // BIO way err = SSL_connect (ssl); CHK_SSL(err); /* Get the cipher - opt */ printf ("SSL connection using %s\n", SSL_get_cipher (ssl)); /* Get server's certificate (note: beware of dynamic allocation) - opt */ server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert); printf ("Server certificate:\n"); str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0); CHK_NULL(str); printf ("\t subject: %s\n", str); Free (str); str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0); CHK_NULL(str); printf ("\t issuer: %s\n", str); Free (str); /* We could do all sorts of certificate verification stuff here before deallocating the certificate. */ X509_free (server_cert); /* --------------------------------------------------- */ /* DATA EXCHANGE - Send a message and receive a reply. */ sprintf(buf, "GET / HTTP/1.0\r\n\r\n"); err = SSL_write (ssl, buf, strlen(buf)); CHK_SSL(err); err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err); buf[err] = '\0'; printf ("Got %d chars:'%s'\n", err, buf); // Shutdown SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); shutdown(SSL_get_fd(ssl), 2); close(SSL_get_fd(ssl)); // SECOND CONNECTION ////////////////////////////////////////////// // Do it with a BIO conn = BIO_new(BIO_s_connect()); if (conn == NULL) return -1; BIO_set_conn_port(conn, "443"); BIO_set_conn_hostname(conn, "www"); SSL_set_connect_state(ssl); SSL_set_bio(ssl, conn, conn); SSL_connect(ssl); /* --------------------------------------------------- */ /* DATA EXCHANGE - Send a message and receive a reply. */ printf("***Session reused: %d\n", SSL_session_reused(ssl)); memset(buf, 0, sizeof(buf)); sprintf(buf, "GET /manual/LICENSE HTTP/1.0\r\n\r\n"); err = SSL_write (ssl, buf, strlen(buf)); CHK_SSL(err); err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err); buf[err] = '\0'; printf ("Got %d chars:'%s'\n", err, buf); // Shutdown SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); shutdown (SSL_get_fd(ssl), 2); close(SSL_get_fd(ssl)); printf("***Session reused: %d\n", SSL_session_reused(ssl)); /* Clean up. */ close (sd); SSL_free (ssl); SSL_CTX_free (ctx); } /* EOF - cli.c */ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]