On Thu, 5 Mar 1998, Anthony Moran wrote:
> I need some help understanding this. In SSLeay-0.8.1, why does
> SSL_free() call ssl_clear_bad_session()? Why is the session being
> removed from the cache instead of just being freed?
If you look inside ssl_clear_bad_session
int ssl_clear_bad_session(s)
SSL *s;
{
if ( (s->session != NULL) &&
!(s->shutdown & SSL_SENT_SHUTDOWN) &&
!(SSL_in_init(s) || SSL_in_before(s)))
{
SSL_CTX_remove_session(s->ctx,s->session);
return(1);
}
else
return(0);
}
You will see that ssl_clear_bad_session(), does a check first.
If you have not done a SSL_shutdown(), the session cannot be reused.
If you have, it can.
> Here is the section of SSL_free()
> /* Make the next call work :-) */
> if (s->session != NULL)
> {
> ssl_clear_bad_session(s);
> SSL_SESSION_free(s->session);
> }
The SSL_SESSION_free() is needed since it will just decrement the
SSL_SESSION reference count if it is also being help in caches elsewhere.
If it is not, then it will be free()ed.
eric
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
