[openssl-users] Regarding server side sessions support

[Viktor Dukhovni]

On Wed, Mar 25, 2015 at 03:32:08PM +0000, Dr. Stephen Henson wrote:

> > I am trying to implement server side caching support for sessions by
> > using callback functions. However, the callback functions are never
> > being called, even though connection happens successfully without
> > session resumption. For your reference some of the sample code I am
> > pasting below:
> > 
> > ssl_session_ctx_id = 1;
> > SSL_CTX_set_session_id_context (c, (void *)&ssl_session_ctx_id, sizeof
> > (ssl_session_ctx_id));
> > SSL_CTX_set_session_cache_mode(c, SSL_SESS_CACHE_SERVER |
> > SSL_SESS_CACHE_NO_INTERNAL);
> > SSL_CTX_sess_set_new_cb (c, custom_new_session_cb );
> > SSL_CTX_sess_set_remove_cb (c, custom_remove_session_cb );
> > SSL_CTX_sess_set_get_cb (c, custom_get_session_cb);
> > 
> > 
> > Can somebody kindly help me as to what I am missing out here? What
> > could be the reason behind the callback functions not being called?
> 
> The client could be using session tickets which don't use a session cache. You
> can try disabling them by setting SSL_OP_NO_TICKET.

I would NOT recommend disabling session tickets, they are better
than server-side caches.

That said, Postfix supports both, ahd the callbacks are called.  See lines
624-669 of:

	https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c

-- 
	Viktor.

line 165:
    static const char server_session_id_context[] = "Postfix/TLS";

lines 624-669:

    if (cachable || ticketable || props->set_sessid) {

	/*
	 * Initialize the session cache.
	 * 
	 * With a large number of concurrent smtpd(8) processes, it is not a
	 * good idea to cache multiple large session objects in each process.
	 * We set the internal cache size to 1, and don't register a
	 * "remove_cb" so as to avoid deleting good sessions from the
	 * external cache prematurely (when the internal cache is full,
	 * OpenSSL removes sessions from the external cache also)!
	 * 
	 * This makes SSL_CTX_remove_session() not useful for flushing broken
	 * sessions from the external cache, so we must delete them directly
	 * (not via a callback).
	 * 
	 * Set a session id context to identify to what type of server process
	 * created a session. In our case, the context is simply the name of
	 * the mail system: "Postfix/TLS".
	 */
	SSL_CTX_sess_set_cache_size(server_ctx, 1);
	SSL_CTX_set_session_id_context(server_ctx,
				       (void *) &server_session_id_context,
				       sizeof(server_session_id_context));
	SSL_CTX_set_session_cache_mode(server_ctx,
				       SSL_SESS_CACHE_SERVER |
				       SSL_SESS_CACHE_NO_AUTO_CLEAR);
	if (cachable) {
	    app_ctx->cache_type = mystrdup(props->cache_type);

	    SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb);
	    SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
	}

	/*
	 * OpenSSL ignores timed-out sessions. We need to set the internal
	 * cache timeout at least as high as the external cache timeout. This
	 * applies even if no internal cache is used.  We set the session
	 * lifetime to twice the cache lifetime, which is also the issuing
	 * and retired key validation lifetime of session tickets keys. This
	 * way a session always lasts longer than the server's ability to
	 * decrypt its session ticket.  Otherwise, a bug in OpenSSL may fail
	 * to re-issue tickets when sessions decrypt, but are expired.
	 */
	SSL_CTX_set_timeout(server_ctx, 2 * scache_timeout);
    }