Contract of d2i_SSL_SESSION ?

Jesper Pedersen jesper.pedersen at redhat.com
Thu Dec 16 11:42:59 UTC 2021


Hi Matt,

On 12/16/21 06:30, Matt Caswell wrote:
>> Yes, it is basically a resume I'm looking for - as the SSL_SESSION 
>> won't be active in "Process 1" after i2d_SSL_SESSION; the process dies.
> 
> So, if its a resume you are attempting to achieve its unclear to me what 
> you wrote about transferring the socket descriptor to the parent 
> process. Since a resumption is effectively creating a new connection it 
> is normally on a complete new fd.
> 

This is for a connection pool that caches connections to PostgreSQL -- 
this use-case is connections using TLS v1.2.

"Process 1" is triggered by a client which opens a TLS connection to 
PostgreSQL, authenticates and uses the connection.

As the socket descriptor was created in the child process it needs to be 
transferred to the parent in order to be valid for future processes.

Then the connection is put back in the pool; the server side isn't 
closed, and all the state is cached in shared memory for the next client 
to use.

So, a resume on the client side linking up against the existing server side.

This is strictly about being able to reuse an existing TLS connection, 
because if I disable caching of connections using TLS everything is 
working - but not much of a connection pool then.

Best regards,
  Jesper



More information about the openssl-users mailing list