[openssl-users] Confused about client side session caching

Matt Caswell matt at openssl.org
Fri Jun 8 08:03:25 UTC 2018



On 07/06/18 19:48, Angus Robertson - Magenta Systems Ltd wrote:
> I'm reading the TLSv1.3 notes that suggest SSL_CTX_sess_set_get_cb is
> called for both clients and servers, but am confused by the
> documentation. 
> 

The get_session_cb is only ever called for servers. The new_sesion_cb
and remove_session_cb can be called for clients and servers.

When you refer to the the "TLSv1.3 notes" do you mean this page?
https://wiki.openssl.org/index.php/TLS1.3

I couldn't see anywhere on there that suggests that get_session_cb is
called on clients.

> The 1.1.1 manual page still starts 'provide callback functions for
> server side external session caching' with no mention of clients.   

Ah, good point. That needs fixing. As I said above the new_session_cb
and remove_session_cb can be called for clients.

> 
> I'm updating code that supports 1.0.2 to 1.1.1 for external session
> caching, for clients and servers, so particularly interested when
> client session callbacks arrived.  
> 
> The TLSv1.3 notes suggest the callback worked for clients in 1.1.0, a
> quick test suggests it actually gets called in 1.0.2 as well.  Is this
> correct? 

I think new_session_cb and remove_session_cb should work in 1.0.2 on
clients.

> Has OpenSSL internal session caching improved over the years so that
> external caching is no longer necessary?  

Not much has changed here. It was never "necessary" on the server side -
but of course it depends on what you are trying to do and whether it is
appropriate for your needs. Client side caching is a bit more "limited"
in its usefulness :-)

Matt


More information about the openssl-users mailing list